Solved

Needed templates not available in the CertSrv Web tool

Posted on 2010-11-28
16
4,284 Views
Last Modified: 2012-08-13
I have installed Enterprise CA on my PDC. When I go to the CertSrv web page and request a cert, I get a very limited list of templates:
 Templates available in CertSrv
I need to get a cert for another DC, but these choices do not allow that request. What should I do? I believe I need a template like "Server Authentication Certificate".
0
Comment
Question by:HilltownHealthCenter
  • 7
  • 4
  • 3
  • +1
16 Comments
 

Author Comment

by:HilltownHealthCenter
ID: 34230293
This question may involve whether it was correct to install Enterprise CA instead of stand-alone CA. I tried stand-alone CA, but could not get my secure WAP wireless APs to authenticate due to cert issues.
With stand-alone, the "Server Authentication Certificate" choice did appear in CertSrv.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34230498
Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)
http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx

Bunch of infomration about MS PKI
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

HTH
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34230506
And yes, you need an Enterprise CA
0
 

Author Comment

by:HilltownHealthCenter
ID: 34232615
What I am not finding is how the web tool drop-down list of templates is determined, or how to manage it.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34240392
On the CA open 'certsrv.msc' (Certification Authority MMC) (you can also do this from workstation and then "retarget" to the CA) - expand CAName - select Certificate Templates - the templates listed on the right is what is available.  You can right-click this folder to issue a new template to this CA, or you can select to manage templates (opens 'certtmpl.msc' / Certificate Templates MMC) where you can modify existing templates and duplicate existing ones to create a new customized template.

Note that when working with templates that they are stored in AD, so changes / issuing may take an AD replication cycle to become effective (usually within 15 minutes).

If things still aren't making sense from that let me know and we can go from there
0
 

Author Comment

by:HilltownHealthCenter
ID: 34241812
Here are the available templates, most of which are showing in CertSrv, (see image above) but not the Domain Controller request, which is the one I need.
 Available Templates
0
 

Author Comment

by:HilltownHealthCenter
ID: 34241843
Just to be clear, I log into my remote site DC, bring up IE to the CertSrv web tool on the CA server, and that is the image you see at the top.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34248410
Hi Asaph :)

please check the attached file :)

Regards,
Krzysztof
cert-on-WWW.pdf
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:HilltownHealthCenter
ID: 34283869
Hi Krzysztof,

I have done all those steps. The Domain Controller template, (and Authenticated Session, another one I need) show up in the CA snap-in, just as in your example, but when I open the browser to the CertSrv website on the CA, I only see the list, still as submitted originally. Seen from my Exchange server
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34285320
Hi,

grrr :)

I would check it ASAP and let you know :)

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34316967
I found Microsoft article about the same steps but without any print screens. Could you try to follow with it and check if it works?

http://support.microsoft.com/kb/555291

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34317030
I think this is related to Domain Controller certificate template :/ Some of other templates also don't work :|
I have no idea why

Sorry, I could  help

Krzysztof
0
 

Author Comment

by:HilltownHealthCenter
ID: 34393636
Current state of this issue::

The needed template choices, when using the CertSrv web tool, are still missing.
Waiting to see if anyone has additional ideas.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34436664
You cannot use the web page to request DC certs.  You need to used the Certificates MMC snap-in (target the local computer, run on the DC).

Also check certtmpl.msc (Certificate Templates MMC) for that template's permissions - make sure that the DOMAIN\Domain Controllers group has Read & Enroll permissions - many admins also choose to select Autoenroll for ease of administration.  Again, note that any changes here may take up to 15 minutes to become effective (or whatever your AD replication is set to) - pay attention to subdomains as each tier needs to be specified.

Also, since your CA is installed on a DC, check AD for CERTSVC_DCOM_ACCESS domain local security group.  Within that group, you may need to add the DOMAIN\Domain Controllers group to this group (it is common for this to be missing, however the other typically desired groups of DOMAIN\Domain Users & DOMAIN\Domain Computers are typically already present).

Lastly, check AD Domains & Trusts for your current AD forest level.  If it is not at least 2000 native mode then it needs to be in order to support autoenrollment.
0
 

Author Comment

by:HilltownHealthCenter
ID: 34450441
Here are the states of the items of interest.
My specific question is: What controls which templates appear on the CertSvc web page drop-down and which do not?

 State of objects mentioned
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 34536987
It must be a user cert to which the logged in user has read & enroll permissions to the template, or for a computer cert then the template must be configured on the Subject Name tab to supply the name in the request instead of pulling it from AD.  AD pulled names for a computer cert must be done using either autoenrollment or by using the Certificates MMC snapin with the focus to Local Computer for the requesting box, then use the certificate request wizard from right-clicking the Personal - Certificates folder to submit the request.

Typically the Domain Controller template indicates that your AD forest has not been updated - this should only be used in a Win2000 AD and you must configure a domain Group Policy to allow autoenrollment (search ACRS) instead of having autoenrollment available on the template.  You can check your forest functional level in AD Domains & Trusts and if all of your DC servers are 2003 or higher then upgrade your forest to at least 2003 native mode - refer to forest upgrade documentation for further information and precautions.  This can also happen if your CA is installed on a 2000 box - if so then definitely upgrade your CA since you're missing out on a lot of stuff.

Normally 2003 AD would present Domain Controller Authentication & Directory Email Replication templates with autoenrollment being configured by default.  Note you should still use a domain GPO to distribute the root CA certificate to your workstations & servers.

If everything is 2008 then you should consider moving to that for your AD level - again there are newer templates for Kerberos Authentication and such that would be indicative of this environment and typically enrolled via autoenrollment.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now