Solved

Redirecting Windows 2003 CA Enrollment Site to HTTPS

Posted on 2011-02-10
9
739 Views
Last Modified: 2012-05-11
We have an internal Microsoft Windows 2003 CA server running to handle certificates for our VPN users. The site was configured to require SSL to access the enrollment page and a certificate is installed on the server.

This was working fine but suddenly we are having a problem where the redirection is not working. If I enter https://servername/certsrv I get a page cannot be displayed. If I enter http://servername/certsrv I get a message that secure communications is required.

I've verified that the certificate is valid and don't see anything wrong with the configuration. There are no messages in the event or IIS logs.

Where else can I look to get this resolved?

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 34864887
double check the Certificate on the IIS web site for https://servername to make sure it is valid.
Take out the requre SSL under the web site's configuration which will allow you to access it without ssl and if it does not work either, you may have a configuarion issue i.e. the wrong .NET framework is applied to this virtual site.
0
 

Author Comment

by:snowmizer
ID: 34864903
The certificate on the IIS website is valid. If I remove the SSL requirement I can access the enrollment page (but can't run this without SSL).
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864958
what if you manually install the cert locally?
do you still get the error?
do you attempt to convert requests to the http to automagicallly switch to https?


ps you have restarted IIS right?
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 78

Expert Comment

by:arnold
ID: 34864963
Check whether you have a requirement for certenroll and/or certcontrol which could explain why when accessing without https you are having an issue if any request/fulfillment is redirected there and it requires an SSL connection.
Enable logging on the virtual site and see what errors if any are reported there.
The .NET framework should be 1.1.4322.
0
 

Author Comment

by:snowmizer
ID: 34865083
Yeah I have restarted IIS. Certsrv, certenroll and certcontrol all have requirements for SSL. The version of .NET framework running on all is 1.1.4322. The cert on the sites is a verisign site specifically for the domain name we use to allow remote users to access the enrollment site.

I don't have anything in place to automatically switch from http to hpps if the users enter http://servername/certsrv but I would like to have this. How can you go about doing this with CA sites? Would it be similar to how you do OWA (create a redirect page and set the 403.4 error redirect page to my new redirect page)?

We applied the newest round of Windows updates this morning. I'm wondering if this maybe caused an issue since this was working last week and no changes have been made.
0
 
LVL 78

Expert Comment

by:arnold
ID: 34865207
The SSL requirement within IIS is what generates the notice when a non-SSL connection is made.
IIS properties of the virtual directory, Directory Security, hit edit under the secure communications option. There you will see at the top the check box for require Secure Channel (SSL).

Double check wheter your settings require that the client accessing the https://servername/certsrv must present a valid client certificate within the same location as above. Require client certificates, etc.
0
 

Author Comment

by:snowmizer
ID: 34865302
The check box to require SSL is checked, require 128-bit isn't checked, ignore client certificates is not checked. This is the configuration in all three locations (certenroll, certcontrol, and certsrv) plus the default web site.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 34865935
Require 128 means the connection will have to be 128 bit, but as long as the require secure channel is check only https: type of access will be granted.
If the ignore client certificate is not select but something else a connection from a user that does not present a client certificate will not be permitted to access. My guess is that the setup was done such that the initial certificate is provided by the admin and then the user after importing the ID certificate into the browser they can then renew their certificates remotely.

0
 

Author Comment

by:snowmizer
ID: 34890559
I built a new 2003 server on our test network, restored the CA database and re-installed the cert. After doing this my site works so it looks like it's something on my server itself. I tried matching up settings from the new server and the production server. Everything matches but the cert on the prod server still doesn't work.

We're going to just build a new 2008 server and restore the CA on the new server.

Thanks everyone for the replies.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question