NordCap
asked on
CA WebEnrollment /CertSrv throwing 403.14
We have a Windows 2008 Ent SP2-host running as a CA. The CA part works fine but Web Enrollment just won't work.
When connecting to http://localhost/ it shows the default "Welcome II7"-page, so I know IIS is running. I am also able download the crt/crl-files in http://localhost/CertSrv/certenroll/. However, when connecting to http://localhost/CertSrv/ I can authenticate but am met with:
I have tried...
Any pointers for where to look?
When connecting to http://localhost/ it shows the default "Welcome II7"-page, so I know IIS is running. I am also able download the crt/crl-files in http://localhost/CertSrv/certenroll/. However, when connecting to http://localhost/CertSrv/ I can authenticate but am met with:
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
and:A default document is not configured for the requested URL, and directory browsing is not enabled on the server.
I have tried...
C:\>certutil -vroot
Web Virtual Root Already Exists
Active Server Pages (ASP) already enabled
File Share Already Exists
CertUtil: -vroot command completed successfully.
...and I can't see anything out of the ordinary regarding the event logs or services.Any pointers for where to look?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Boilermaker85: How do I verify that? I can't seem to find any window resembling the one you've attached.
That is the authentication icon in IIS for the website Certsrv.
By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.
By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.
Click on the CertSrv site in IIS and then open the Default Document in Features View. Make sure default.asp is listed in there.
try accessing from another box instead of locally to see if that helps. you may be running into issues with loopback authentication
http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993
http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993
ASKER
@Boilermaker86: When looking at Authentication settings for CertSrv I can only see:
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge
No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local . Makes no difference.
@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.
@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge
No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local
@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.
@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.
Ok. Lets start at the beginning. Open an MMC. Add the Certificate Authority Snapin for your CA. and click on the certificate Template folder on the left. RIght click on it and select Manage. Another window will open up with all your templates. select the template you are trying to Web Enroll. Lets assume it is the Web Server. Right click on the template and choose properties. On the security Tab click on the user representing you (domain admins). In the window below. you should have Enroll Checked.
Did you create the template that you are trying to enroll? if so perhaps we could go over what you have on the other tabs in the template.
ASKER
@Boilermaker85: Domain Admins have enroll rights on all templates so I don't see that being an issue. Also, I can never reach the point where I can choose a template to enroll. I can't even see Default.asp, which is connected to IIS rather than the CA-part.
Ok. So it is not a cert template issue - you believe it to be an IIS issue. OK. Lets look at Server Manager, Roles, Web Server, Internet Information Services Manager, expand sites and Default Web Site. Highlight Certsrv. Doubleclick Default Document in the /certsrv Home Pane. I have Default.asp as the top document, followed by Default.htm, and index.htm etc. Do you also have that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Default.asp is not the top one, Default.htm is and the order is inherited by a parent. I did take a look at /CertSrv and there was no Default.asp there. However, there was one in /CertSrv/en-US so I tried connecting to /CertSrv/en-US and it worked as a charm.
I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?
I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?
ASKER
I solved it by doing a redirect from the root to CertSrv/en-US/.
I dont know why yours has a subdirectory en-US for the default.asp file. Mine is in the /certsrv directory. But your redirect works also.
ASKER
1) Certificate Authority
2) Certificate Authority Web Enrollment
For "Web Server (IIS)" there is 24 role services installed. No events or errors from what I can see. Also, I uninstalled and re-installed "Web Server (IIS)" and the needed Role Services in hopes it would fix the problem.
Regarding C:\Windows\System32\CertSr
How would I proceed now?