Needed templates not available in the CertSrv Web tool

I have installed Enterprise CA on my PDC. When I go to the CertSrv web page and request a cert, I get a very limited list of templates:
 Templates available in CertSrv
I need to get a cert for another DC, but these choices do not allow that request. What should I do? I believe I need a template like "Server Authentication Certificate".
HilltownHealthCenterAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
It must be a user cert to which the logged in user has read & enroll permissions to the template, or for a computer cert then the template must be configured on the Subject Name tab to supply the name in the request instead of pulling it from AD.  AD pulled names for a computer cert must be done using either autoenrollment or by using the Certificates MMC snapin with the focus to Local Computer for the requesting box, then use the certificate request wizard from right-clicking the Personal - Certificates folder to submit the request.

Typically the Domain Controller template indicates that your AD forest has not been updated - this should only be used in a Win2000 AD and you must configure a domain Group Policy to allow autoenrollment (search ACRS) instead of having autoenrollment available on the template.  You can check your forest functional level in AD Domains & Trusts and if all of your DC servers are 2003 or higher then upgrade your forest to at least 2003 native mode - refer to forest upgrade documentation for further information and precautions.  This can also happen if your CA is installed on a 2000 box - if so then definitely upgrade your CA since you're missing out on a lot of stuff.

Normally 2003 AD would present Domain Controller Authentication & Directory Email Replication templates with autoenrollment being configured by default.  Note you should still use a domain GPO to distribute the root CA certificate to your workstations & servers.

If everything is 2008 then you should consider moving to that for your AD level - again there are newer templates for Kerberos Authentication and such that would be indicative of this environment and typically enrolled via autoenrollment.
0
 
HilltownHealthCenterAuthor Commented:
This question may involve whether it was correct to install Enterprise CA instead of stand-alone CA. I tried stand-alone CA, but could not get my secure WAP wireless APs to authenticate due to cert issues.
With stand-alone, the "Server Authentication Certificate" choice did appear in CertSrv.
0
 
Michael PfisterCommented:
Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)
http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx

Bunch of infomration about MS PKI
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

HTH
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Michael PfisterCommented:
And yes, you need an Enterprise CA
0
 
HilltownHealthCenterAuthor Commented:
What I am not finding is how the web tool drop-down list of templates is determined, or how to manage it.
0
 
ParanormasticCryptographic EngineerCommented:
On the CA open 'certsrv.msc' (Certification Authority MMC) (you can also do this from workstation and then "retarget" to the CA) - expand CAName - select Certificate Templates - the templates listed on the right is what is available.  You can right-click this folder to issue a new template to this CA, or you can select to manage templates (opens 'certtmpl.msc' / Certificate Templates MMC) where you can modify existing templates and duplicate existing ones to create a new customized template.

Note that when working with templates that they are stored in AD, so changes / issuing may take an AD replication cycle to become effective (usually within 15 minutes).

If things still aren't making sense from that let me know and we can go from there
0
 
HilltownHealthCenterAuthor Commented:
Here are the available templates, most of which are showing in CertSrv, (see image above) but not the Domain Controller request, which is the one I need.
 Available Templates
0
 
HilltownHealthCenterAuthor Commented:
Just to be clear, I log into my remote site DC, bring up IE to the CertSrv web tool on the CA server, and that is the image you see at the top.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Hi Asaph :)

please check the attached file :)

Regards,
Krzysztof
cert-on-WWW.pdf
0
 
HilltownHealthCenterAuthor Commented:
Hi Krzysztof,

I have done all those steps. The Domain Controller template, (and Authenticated Session, another one I need) show up in the CA snap-in, just as in your example, but when I open the browser to the CertSrv website on the CA, I only see the list, still as submitted originally. Seen from my Exchange server
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Hi,

grrr :)

I would check it ASAP and let you know :)

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I found Microsoft article about the same steps but without any print screens. Could you try to follow with it and check if it works?

http://support.microsoft.com/kb/555291

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I think this is related to Domain Controller certificate template :/ Some of other templates also don't work :|
I have no idea why

Sorry, I could  help

Krzysztof
0
 
HilltownHealthCenterAuthor Commented:
Current state of this issue::

The needed template choices, when using the CertSrv web tool, are still missing.
Waiting to see if anyone has additional ideas.
0
 
ParanormasticCryptographic EngineerCommented:
You cannot use the web page to request DC certs.  You need to used the Certificates MMC snap-in (target the local computer, run on the DC).

Also check certtmpl.msc (Certificate Templates MMC) for that template's permissions - make sure that the DOMAIN\Domain Controllers group has Read & Enroll permissions - many admins also choose to select Autoenroll for ease of administration.  Again, note that any changes here may take up to 15 minutes to become effective (or whatever your AD replication is set to) - pay attention to subdomains as each tier needs to be specified.

Also, since your CA is installed on a DC, check AD for CERTSVC_DCOM_ACCESS domain local security group.  Within that group, you may need to add the DOMAIN\Domain Controllers group to this group (it is common for this to be missing, however the other typically desired groups of DOMAIN\Domain Users & DOMAIN\Domain Computers are typically already present).

Lastly, check AD Domains & Trusts for your current AD forest level.  If it is not at least 2000 native mode then it needs to be in order to support autoenrollment.
0
 
HilltownHealthCenterAuthor Commented:
Here are the states of the items of interest.
My specific question is: What controls which templates appear on the CertSvc web page drop-down and which do not?

 State of objects mentioned
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.