?
Solved

Needed templates not available in the CertSrv Web tool

Posted on 2010-11-28
16
Medium Priority
?
4,473 Views
Last Modified: 2012-08-13
I have installed Enterprise CA on my PDC. When I go to the CertSrv web page and request a cert, I get a very limited list of templates:
 Templates available in CertSrv
I need to get a cert for another DC, but these choices do not allow that request. What should I do? I believe I need a template like "Server Authentication Certificate".
0
Comment
Question by:HilltownHealthCenter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
16 Comments
 

Author Comment

by:HilltownHealthCenter
ID: 34230293
This question may involve whether it was correct to install Enterprise CA instead of stand-alone CA. I tried stand-alone CA, but could not get my secure WAP wireless APs to authenticate due to cert issues.
With stand-alone, the "Server Authentication Certificate" choice did appear in CertSrv.
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 34230498
Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)
http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx

Bunch of infomration about MS PKI
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

HTH
0
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 34230506
And yes, you need an Enterprise CA
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:HilltownHealthCenter
ID: 34232615
What I am not finding is how the web tool drop-down list of templates is determined, or how to manage it.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34240392
On the CA open 'certsrv.msc' (Certification Authority MMC) (you can also do this from workstation and then "retarget" to the CA) - expand CAName - select Certificate Templates - the templates listed on the right is what is available.  You can right-click this folder to issue a new template to this CA, or you can select to manage templates (opens 'certtmpl.msc' / Certificate Templates MMC) where you can modify existing templates and duplicate existing ones to create a new customized template.

Note that when working with templates that they are stored in AD, so changes / issuing may take an AD replication cycle to become effective (usually within 15 minutes).

If things still aren't making sense from that let me know and we can go from there
0
 

Author Comment

by:HilltownHealthCenter
ID: 34241812
Here are the available templates, most of which are showing in CertSrv, (see image above) but not the Domain Controller request, which is the one I need.
 Available Templates
0
 

Author Comment

by:HilltownHealthCenter
ID: 34241843
Just to be clear, I log into my remote site DC, bring up IE to the CertSrv web tool on the CA server, and that is the image you see at the top.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34248410
Hi Asaph :)

please check the attached file :)

Regards,
Krzysztof
cert-on-WWW.pdf
0
 

Author Comment

by:HilltownHealthCenter
ID: 34283869
Hi Krzysztof,

I have done all those steps. The Domain Controller template, (and Authenticated Session, another one I need) show up in the CA snap-in, just as in your example, but when I open the browser to the CertSrv website on the CA, I only see the list, still as submitted originally. Seen from my Exchange server
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34285320
Hi,

grrr :)

I would check it ASAP and let you know :)

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34316967
I found Microsoft article about the same steps but without any print screens. Could you try to follow with it and check if it works?

http://support.microsoft.com/kb/555291

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34317030
I think this is related to Domain Controller certificate template :/ Some of other templates also don't work :|
I have no idea why

Sorry, I could  help

Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34393636
Current state of this issue::

The needed template choices, when using the CertSrv web tool, are still missing.
Waiting to see if anyone has additional ideas.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34436664
You cannot use the web page to request DC certs.  You need to used the Certificates MMC snap-in (target the local computer, run on the DC).

Also check certtmpl.msc (Certificate Templates MMC) for that template's permissions - make sure that the DOMAIN\Domain Controllers group has Read & Enroll permissions - many admins also choose to select Autoenroll for ease of administration.  Again, note that any changes here may take up to 15 minutes to become effective (or whatever your AD replication is set to) - pay attention to subdomains as each tier needs to be specified.

Also, since your CA is installed on a DC, check AD for CERTSVC_DCOM_ACCESS domain local security group.  Within that group, you may need to add the DOMAIN\Domain Controllers group to this group (it is common for this to be missing, however the other typically desired groups of DOMAIN\Domain Users & DOMAIN\Domain Computers are typically already present).

Lastly, check AD Domains & Trusts for your current AD forest level.  If it is not at least 2000 native mode then it needs to be in order to support autoenrollment.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34450441
Here are the states of the items of interest.
My specific question is: What controls which templates appear on the CertSvc web page drop-down and which do not?

 State of objects mentioned
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 34536987
It must be a user cert to which the logged in user has read & enroll permissions to the template, or for a computer cert then the template must be configured on the Subject Name tab to supply the name in the request instead of pulling it from AD.  AD pulled names for a computer cert must be done using either autoenrollment or by using the Certificates MMC snapin with the focus to Local Computer for the requesting box, then use the certificate request wizard from right-clicking the Personal - Certificates folder to submit the request.

Typically the Domain Controller template indicates that your AD forest has not been updated - this should only be used in a Win2000 AD and you must configure a domain Group Policy to allow autoenrollment (search ACRS) instead of having autoenrollment available on the template.  You can check your forest functional level in AD Domains & Trusts and if all of your DC servers are 2003 or higher then upgrade your forest to at least 2003 native mode - refer to forest upgrade documentation for further information and precautions.  This can also happen if your CA is installed on a 2000 box - if so then definitely upgrade your CA since you're missing out on a lot of stuff.

Normally 2003 AD would present Domain Controller Authentication & Directory Email Replication templates with autoenrollment being configured by default.  Note you should still use a domain GPO to distribute the root CA certificate to your workstations & servers.

If everything is 2008 then you should consider moving to that for your AD level - again there are newer templates for Kerberos Authentication and such that would be indicative of this environment and typically enrolled via autoenrollment.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question