Solved

CA WebEnrollment /CertSrv throwing 403.14

Posted on 2010-11-18
16
10,940 Views
Last Modified: 2012-05-10
We have a Windows 2008 Ent SP2-host running as a CA. The CA part works fine but Web Enrollment just won't work.

When connecting to http://localhost/ it shows the default "Welcome II7"-page, so I know IIS is running. I am also able download the crt/crl-files in http://localhost/CertSrv/certenroll/. However, when connecting to http://localhost/CertSrv/ I can authenticate but am met with:
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

Open in new window

and:
A default document is not configured for the requested URL, and directory browsing is not enabled on the server.

Open in new window


I have tried...
C:\>certutil -vroot
Web Virtual Root Already Exists
Active Server Pages (ASP) already enabled
File Share Already Exists
CertUtil: -vroot command completed successfully.

Open in new window

...and I can't see anything out of the ordinary regarding the event logs or services.

Any pointers for where to look?
0
Comment
Question by:NordCap
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
Comment Utility
First off, check to make sure you have all the Role Services you need installed. Also check to make sure that the default.asp file is located in C:\Windows\System32\CertSrv\en-US. If there is no default.asp file listed in that folder, you probably need to re-install Certificate Services on the server.
0
 

Author Comment

by:NordCap
Comment Utility
I checked the role services for "Active Directory Certificate Services" of which these are installed:
1) Certificate Authority
2) Certificate Authority Web Enrollment

For "Web Server (IIS)" there is 24 role services installed. No events or errors from what I can see. Also, I uninstalled and re-installed "Web Server (IIS)" and the needed Role Services in hopes it would fix the problem.

Regarding C:\Windows\System32\CertSrv\en-US\default.asp and it sure is there, 4359 bytes in size.

How would I proceed now?
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
have you verified you are using passthrough authentication? See screen shot Authentication for Certsrv
0
 

Author Comment

by:NordCap
Comment Utility
@Boilermaker85: How do I verify that? I can't seem to find any window resembling the one you've attached.
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
That is the authentication icon in IIS for the website Certsrv.  

By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Click on the CertSrv site in IIS and then open the Default Document in Features View. Make sure default.asp is listed in there.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
try accessing from another box instead of locally to see if that helps.  you may be running into issues with loopback authentication

http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993
0
 

Author Comment

by:NordCap
Comment Utility
@Boilermaker86: When looking at Authentication settings for CertSrv I can only see:
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge

No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local. Makes no difference.


@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.


@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
Ok. Lets start at the beginning. Open an MMC. Add the Certificate Authority Snapin for your CA. and click on the certificate Template folder on the left. RIght click on it and select Manage. Another window will open up with all your templates. select the template you are trying to Web Enroll. Lets assume it is the Web Server. Right click on the template and choose properties. On the security Tab click on the user representing you (domain admins). In the window below. you should have Enroll Checked.
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
Did you create the template that you are trying to enroll? if so perhaps we could go over what you have on the other tabs in the template.
0
 

Author Comment

by:NordCap
Comment Utility
@Boilermaker85: Domain Admins have enroll rights on all templates so I don't see that being an issue. Also, I can never reach the point where I can choose a template to enroll. I can't even see Default.asp, which is connected to IIS rather than the CA-part.
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
Ok. So it is not a cert template issue - you believe it to be an IIS issue. OK. Lets look at Server Manager, Roles, Web Server, Internet Information Services Manager, expand sites and Default Web Site. Highlight Certsrv. Doubleclick Default Document in the /certsrv Home Pane. I have Default.asp as the top document, followed by Default.htm, and index.htm etc. Do you also have that?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 250 total points
Comment Utility
ANd if youswitch to content view at the bottom, then select default.asp file and click Edit Permisssions on the right, does it show localmachine\administrators and localmachine\users both have read and execute rights? If yes, then open up Server Manager, Configuration, Local Users and Groups, and look at the two groups Administrators and Users and make sure they have the domain equivolents in there (domain\administrators and domain\users respectively)
0
 

Author Comment

by:NordCap
Comment Utility
Default.asp is not the top one, Default.htm is and the order is inherited by a parent. I did take a look at /CertSrv and there was no Default.asp there. However, there was one in /CertSrv/en-US so I tried connecting to /CertSrv/en-US and it worked as a charm.

I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?
0
 

Author Comment

by:NordCap
Comment Utility
I solved it by doing a redirect from the root to CertSrv/en-US/.
0
 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
I dont know why yours has a subdirectory en-US for the default.asp file. Mine is in the /certsrv directory.  But your redirect works also.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now