[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12495
  • Last Modified:

CA WebEnrollment /CertSrv throwing 403.14

We have a Windows 2008 Ent SP2-host running as a CA. The CA part works fine but Web Enrollment just won't work.

When connecting to http://localhost/ it shows the default "Welcome II7"-page, so I know IIS is running. I am also able download the crt/crl-files in http://localhost/CertSrv/certenroll/. However, when connecting to http://localhost/CertSrv/ I can authenticate but am met with:
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

Open in new window

and:
A default document is not configured for the requested URL, and directory browsing is not enabled on the server.

Open in new window


I have tried...
C:\>certutil -vroot
Web Virtual Root Already Exists
Active Server Pages (ASP) already enabled
File Share Already Exists
CertUtil: -vroot command completed successfully.

Open in new window

...and I can't see anything out of the ordinary regarding the event logs or services.

Any pointers for where to look?
0
NordCap
Asked:
NordCap
  • 7
  • 6
  • 2
  • +1
2 Solutions
 
Adam BrownSr Solutions ArchitectCommented:
First off, check to make sure you have all the Role Services you need installed. Also check to make sure that the default.asp file is located in C:\Windows\System32\CertSrv\en-US. If there is no default.asp file listed in that folder, you probably need to re-install Certificate Services on the server.
0
 
NordCapAuthor Commented:
I checked the role services for "Active Directory Certificate Services" of which these are installed:
1) Certificate Authority
2) Certificate Authority Web Enrollment

For "Web Server (IIS)" there is 24 role services installed. No events or errors from what I can see. Also, I uninstalled and re-installed "Web Server (IIS)" and the needed Role Services in hopes it would fix the problem.

Regarding C:\Windows\System32\CertSrv\en-US\default.asp and it sure is there, 4359 bytes in size.

How would I proceed now?
0
 
Boilermaker85Commented:
have you verified you are using passthrough authentication? See screen shot Authentication for Certsrv
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
NordCapAuthor Commented:
@Boilermaker85: How do I verify that? I can't seem to find any window resembling the one you've attached.
0
 
Boilermaker85Commented:
That is the authentication icon in IIS for the website Certsrv.  

By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.
0
 
Adam BrownSr Solutions ArchitectCommented:
Click on the CertSrv site in IIS and then open the Default Document in Features View. Make sure default.asp is listed in there.
0
 
ParanormasticCryptographic EngineerCommented:
try accessing from another box instead of locally to see if that helps.  you may be running into issues with loopback authentication

http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993
0
 
NordCapAuthor Commented:
@Boilermaker86: When looking at Authentication settings for CertSrv I can only see:
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge

No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local. Makes no difference.


@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.


@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.
0
 
Boilermaker85Commented:
Ok. Lets start at the beginning. Open an MMC. Add the Certificate Authority Snapin for your CA. and click on the certificate Template folder on the left. RIght click on it and select Manage. Another window will open up with all your templates. select the template you are trying to Web Enroll. Lets assume it is the Web Server. Right click on the template and choose properties. On the security Tab click on the user representing you (domain admins). In the window below. you should have Enroll Checked.
0
 
Boilermaker85Commented:
Did you create the template that you are trying to enroll? if so perhaps we could go over what you have on the other tabs in the template.
0
 
NordCapAuthor Commented:
@Boilermaker85: Domain Admins have enroll rights on all templates so I don't see that being an issue. Also, I can never reach the point where I can choose a template to enroll. I can't even see Default.asp, which is connected to IIS rather than the CA-part.
0
 
Boilermaker85Commented:
Ok. So it is not a cert template issue - you believe it to be an IIS issue. OK. Lets look at Server Manager, Roles, Web Server, Internet Information Services Manager, expand sites and Default Web Site. Highlight Certsrv. Doubleclick Default Document in the /certsrv Home Pane. I have Default.asp as the top document, followed by Default.htm, and index.htm etc. Do you also have that?
0
 
Boilermaker85Commented:
ANd if youswitch to content view at the bottom, then select default.asp file and click Edit Permisssions on the right, does it show localmachine\administrators and localmachine\users both have read and execute rights? If yes, then open up Server Manager, Configuration, Local Users and Groups, and look at the two groups Administrators and Users and make sure they have the domain equivolents in there (domain\administrators and domain\users respectively)
0
 
NordCapAuthor Commented:
Default.asp is not the top one, Default.htm is and the order is inherited by a parent. I did take a look at /CertSrv and there was no Default.asp there. However, there was one in /CertSrv/en-US so I tried connecting to /CertSrv/en-US and it worked as a charm.

I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?
0
 
NordCapAuthor Commented:
I solved it by doing a redirect from the root to CertSrv/en-US/.
0
 
Boilermaker85Commented:
I dont know why yours has a subdirectory en-US for the default.asp file. Mine is in the /certsrv directory.  But your redirect works also.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now