Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Redirecting Windows 2003 CA Enrollment Site to HTTPS

Posted on 2011-02-10
9
735 Views
Last Modified: 2012-05-11
We have an internal Microsoft Windows 2003 CA server running to handle certificates for our VPN users. The site was configured to require SSL to access the enrollment page and a certificate is installed on the server.

This was working fine but suddenly we are having a problem where the redirection is not working. If I enter https://servername/certsrv I get a page cannot be displayed. If I enter http://servername/certsrv I get a message that secure communications is required.

I've verified that the certificate is valid and don't see anything wrong with the configuration. There are no messages in the event or IIS logs.

Where else can I look to get this resolved?

Thanks.
0
Comment
Question by:snowmizer
  • 4
  • 4
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 34864887
double check the Certificate on the IIS web site for https://servername to make sure it is valid.
Take out the requre SSL under the web site's configuration which will allow you to access it without ssl and if it does not work either, you may have a configuarion issue i.e. the wrong .NET framework is applied to this virtual site.
0
 

Author Comment

by:snowmizer
ID: 34864903
The certificate on the IIS website is valid. If I remove the SSL requirement I can access the enrollment page (but can't run this without SSL).
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864958
what if you manually install the cert locally?
do you still get the error?
do you attempt to convert requests to the http to automagicallly switch to https?


ps you have restarted IIS right?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 77

Expert Comment

by:arnold
ID: 34864963
Check whether you have a requirement for certenroll and/or certcontrol which could explain why when accessing without https you are having an issue if any request/fulfillment is redirected there and it requires an SSL connection.
Enable logging on the virtual site and see what errors if any are reported there.
The .NET framework should be 1.1.4322.
0
 

Author Comment

by:snowmizer
ID: 34865083
Yeah I have restarted IIS. Certsrv, certenroll and certcontrol all have requirements for SSL. The version of .NET framework running on all is 1.1.4322. The cert on the sites is a verisign site specifically for the domain name we use to allow remote users to access the enrollment site.

I don't have anything in place to automatically switch from http to hpps if the users enter http://servername/certsrv but I would like to have this. How can you go about doing this with CA sites? Would it be similar to how you do OWA (create a redirect page and set the 403.4 error redirect page to my new redirect page)?

We applied the newest round of Windows updates this morning. I'm wondering if this maybe caused an issue since this was working last week and no changes have been made.
0
 
LVL 77

Expert Comment

by:arnold
ID: 34865207
The SSL requirement within IIS is what generates the notice when a non-SSL connection is made.
IIS properties of the virtual directory, Directory Security, hit edit under the secure communications option. There you will see at the top the check box for require Secure Channel (SSL).

Double check wheter your settings require that the client accessing the https://servername/certsrv must present a valid client certificate within the same location as above. Require client certificates, etc.
0
 

Author Comment

by:snowmizer
ID: 34865302
The check box to require SSL is checked, require 128-bit isn't checked, ignore client certificates is not checked. This is the configuration in all three locations (certenroll, certcontrol, and certsrv) plus the default web site.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 34865935
Require 128 means the connection will have to be 128 bit, but as long as the require secure channel is check only https: type of access will be granted.
If the ignore client certificate is not select but something else a connection from a user that does not present a client certificate will not be permitted to access. My guess is that the setup was done such that the initial certificate is provided by the admin and then the user after importing the ID certificate into the browser they can then renew their certificates remotely.

0
 

Author Comment

by:snowmizer
ID: 34890559
I built a new 2003 server on our test network, restored the CA database and re-installed the cert. After doing this my site works so it looks like it's something on my server itself. I tried matching up settings from the new server and the production server. Everything matches but the cert on the prod server still doesn't work.

We're going to just build a new 2008 server and restore the CA on the new server.

Thanks everyone for the replies.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question