Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windows 2012 - CertSrv Certificate Authority IIS web i/f - certificate template options missing

Posted on 2016-08-28
2
273 Views
Last Modified: 2016-09-05
Headline:
Win Svr Std 2012: https://server/certsrv to submit a certificate request, the Advanced Certificate Request screen does not show the usual list of certificate types. It is empty with error message for domain admin user, or contains just one entry (Code Sign) if Administrator user.

Empty Certificate Template list
Background:
Migrating from SBS 2008 to Std 2012. Domain and Forest level are both at 2008. Migrated CA using MS Technet article: https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 

Post-migration, CA appears OK (right certs, history, functioning.) Trying to use certsrv to create certs via web browser. If I authenticate as Administrator, I see only one template, "Code Signing". If I login as user member of domain admin, I see none and get error "you do not have permission to request a certificate from this CA".

I've tried duplicating the Web Server template as "Web Server temp", still doesn't show up. I've opened privileges up wide on that template, doesn't show up. I've tried the suggestion about making the Subject  "build this from AD", doesn't help. I've reduced the maximum validity to one year, no help. I've tried putting certsrv under a NetworkService rather than a ApplicationPoolIdentity, doesn't help. I've read a hundred articles, most with no clear resolution.

I am connecting to CertSrv using https (it is marked as requires https) and with a proper cert installed and bound to port 443. The SSL connection / authentication seems to work properly. Note that using different login identity has different results, so the identity seems to be propagated properly.

Not sure where to turn next.

Is this environment (running 2008 domain/forest level with 2012 server) something that should not work? In other words, in a couple of weeks, when migration is done, and if I raise the forest/domain level to 2012, would this all magically start to work? Or, am I just deeper in the weeds because there's no hope to back out and start over?

The symptom I keep coming back to, which I cannot explain, is that the CodeSigning template shows us when logged in with the Administrator account but not when logged in with another domain admin member. Nothing else shows up either way. It smells of a permission problem but CodeSigning just has domain+enterprise admin with r/w/enroll. Nothing specific to the Administrator other than it may have other group memberships / just is special.

 The one other note on CodeSigning is from migration. The MS KB article on CA migration (link above) describes using certutil -setcatemplates  to assign the migrated templates to the destination CA. The output from that command indicated that only CodeSigning wasn't "Already present":
c:\Temp\BackupCA>certutil -setcatemplates +CodeSigning,EFSRecovery,EFS,DomainCon
troller,WebServer,Machine,User,SubCA,Administrator
CodeSigning: Adding
EFSRecovery: Already present
EFS: Already present
DomainController: Already present
WebServer: Already present
Machine: Already present
User: Already present
SubCA: Already present
Administrator: Already present
CertUtil: -SetCATemplates command completed successfully.

Finally, the correct sets of templates were displayed under SBS 2008 certsrv. Same setup/configuration post-migration, behaves very differently, as described above.

Help ...
0
Comment
Question by:fmoultrie
2 Comments
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41783946
0
 

Author Closing Comment

by:fmoultrie
ID: 41785016
Thanks, Dan. The MS article contained the clue for my post-CA restore situation:
What I missed was that I didn't realize I had to republish the templates from the CA (even though they displayed there and in the template MSC plug-in and in the catemplate tool ...) -

In the MMC, go to Certification Authority > collapse this node > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.
--
(repeat for each template of interest)

Moving on with my server migration. Thanks for helping me find this needle in the haystack.
Ferrell
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question