Solved

Redirecting Windows 2003 CA Enrollment Site to HTTPS

Posted on 2011-02-10
9
733 Views
Last Modified: 2012-05-11
We have an internal Microsoft Windows 2003 CA server running to handle certificates for our VPN users. The site was configured to require SSL to access the enrollment page and a certificate is installed on the server.

This was working fine but suddenly we are having a problem where the redirection is not working. If I enter https://servername/certsrv I get a page cannot be displayed. If I enter http://servername/certsrv I get a message that secure communications is required.

I've verified that the certificate is valid and don't see anything wrong with the configuration. There are no messages in the event or IIS logs.

Where else can I look to get this resolved?

Thanks.
0
Comment
Question by:snowmizer
  • 4
  • 4
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 34864887
double check the Certificate on the IIS web site for https://servername to make sure it is valid.
Take out the requre SSL under the web site's configuration which will allow you to access it without ssl and if it does not work either, you may have a configuarion issue i.e. the wrong .NET framework is applied to this virtual site.
0
 

Author Comment

by:snowmizer
ID: 34864903
The certificate on the IIS website is valid. If I remove the SSL requirement I can access the enrollment page (but can't run this without SSL).
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864958
what if you manually install the cert locally?
do you still get the error?
do you attempt to convert requests to the http to automagicallly switch to https?


ps you have restarted IIS right?
0
 
LVL 77

Expert Comment

by:arnold
ID: 34864963
Check whether you have a requirement for certenroll and/or certcontrol which could explain why when accessing without https you are having an issue if any request/fulfillment is redirected there and it requires an SSL connection.
Enable logging on the virtual site and see what errors if any are reported there.
The .NET framework should be 1.1.4322.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:snowmizer
ID: 34865083
Yeah I have restarted IIS. Certsrv, certenroll and certcontrol all have requirements for SSL. The version of .NET framework running on all is 1.1.4322. The cert on the sites is a verisign site specifically for the domain name we use to allow remote users to access the enrollment site.

I don't have anything in place to automatically switch from http to hpps if the users enter http://servername/certsrv but I would like to have this. How can you go about doing this with CA sites? Would it be similar to how you do OWA (create a redirect page and set the 403.4 error redirect page to my new redirect page)?

We applied the newest round of Windows updates this morning. I'm wondering if this maybe caused an issue since this was working last week and no changes have been made.
0
 
LVL 77

Expert Comment

by:arnold
ID: 34865207
The SSL requirement within IIS is what generates the notice when a non-SSL connection is made.
IIS properties of the virtual directory, Directory Security, hit edit under the secure communications option. There you will see at the top the check box for require Secure Channel (SSL).

Double check wheter your settings require that the client accessing the https://servername/certsrv must present a valid client certificate within the same location as above. Require client certificates, etc.
0
 

Author Comment

by:snowmizer
ID: 34865302
The check box to require SSL is checked, require 128-bit isn't checked, ignore client certificates is not checked. This is the configuration in all three locations (certenroll, certcontrol, and certsrv) plus the default web site.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 34865935
Require 128 means the connection will have to be 128 bit, but as long as the require secure channel is check only https: type of access will be granted.
If the ignore client certificate is not select but something else a connection from a user that does not present a client certificate will not be permitted to access. My guess is that the setup was done such that the initial certificate is provided by the admin and then the user after importing the ID certificate into the browser they can then renew their certificates remotely.

0
 

Author Comment

by:snowmizer
ID: 34890559
I built a new 2003 server on our test network, restored the CA database and re-installed the cert. After doing this my site works so it looks like it's something on my server itself. I tried matching up settings from the new server and the production server. Everything matches but the cert on the prod server still doesn't work.

We're going to just build a new 2008 server and restore the CA on the new server.

Thanks everyone for the replies.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now