Link to home
Start Free TrialLog in
Avatar of Martin Kühn
Martin KühnFlag for Germany

asked on

Unable to install certificate with CA on SBS 2011

At a customer´s site, who is still working with SBS 2011 I would like to set up SSTP. I am running in problems with the certificate. I used IIS to submit a request to the build in PKI but this is not accepted. I always get an error (rough translation fron German):

The request does not contain certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE).
Denied by policy module 0x80094801, The request does not contain the certificate template extension or the CertificateTemplate request attribute.

I found an article to reqest a computer certificate manually and to install with

'certreq -submit -attrib „certificateTemplate:<Name des Templates>“ c:\Pfad\<Request-Datei>.req`, but same result.

Avatar of arnold
arnold
Flag of United States of America image

The Web server certificate is not valid for what you are trying to use it.

You may have to create the appropriate template using CA template mmc  on the server.
You can then use http://sbs2011/SrvEnroll to generate the certificate for SSTP.

you might be able to use certutil to do the same.

https://mihoitpro.blogspot.com/2014/11/build-stp-vpn-server-part-1-issue-ssl.html
What's SSTP?

Use the Wizards. In SBS _always_ use the Wizards.
Like the man said ,wizards.
Avatar of Martin Kühn

ASKER

Using the wizard is not helpful, because it tries to build up a pptp connection, which is not an option
1. you need a publicly trusted certificate your CA does not issue this.
2. you have to change the certificate bindings right now they are set to your gateway
User generated imageUser generated imageSBS2011 has reached EOL Jan 14,2020

https://www.em-soft.si/myblog/elvis/?p=63
I give up. This was the last customer running SBS and I hope to never see another again. I tried all suggested solutions and none worked. I´ll switch to Raspberry Pi with OpenVPN
What is the existing edge there?

We use SonicWALL. Anyone that needs a VPN connection we set up with an SSL VPN User ID and Password.

Are you familiar with RD Gateway?

Is HTTPS 443 port forwarded to SBS which I think it should be?

If it is, then RD Gateway gives you the ability to access any endpoint via RDP using the "Use this Gateway" setting which is the URL folks use to access the Remote Web Access portal and/or OWA.

The SBS Console shows the above settings.

EDIT: DUO for RD Gateway/Web is absolutely simple to set up and implement. It provides that layer of protection that users would otherwise get with a VPN. Which means, hit the RD Gateway, Log On, DUO Prompt, and they are in. No need to start some sort of VPN client prior.

NOTE: RD Gateway gets rid of the NETBIOS and other issues that come with VPN.
Thanks for all the suggestions. I managed to generate the certificates last time, but then found out that SBS can only generate certificates with sha1, which are no longer trusted.
I have now established a vpn to the router using SHREW.
I really hope to see a SBS never again.😁😁
You can reconfigure the 2008 CA to use SHA256 instead of SHA1, then renew the CA's Certificate and start issuing SHA256 based certificates.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/upgrade-certification-authority-to-sha256/ba-p/1129040
thanks, but this will be too much action for an old OS
what do you mean?
It is a few steps thing.
Run the certutil tool to make the change.
restart the ca service.
The CA might remain SHA1 while the SSPS cert will be sha256.
with the current limit on certificates being dropped to yearly, you will have to revisit this issue yearly.

it does not seem like the client is inclined to go newer.
Potentially, if they do, they will consult you before getting new hardware and then have you fit the square peg in a round hole.

Is virtualization a go to for you?
We are thinking about a new OS,and new hardware. Everything is more than 10 years old. 😁
virtualization with the new SBS, windows server essentials, is one of those considerations?
My customer wants to keep his own exchange server. Maybe we go for Win2016, maybe with a second server for exchange both as VMs on the vmware community edition.
you could get 2019/22 vlcs and use 2016
how many users?

Are you looking to use the essential version as the AD to roll in 50 users?

https://docs.microsoft.com/en-us/windows-server-essentials/manage/integrate-an-on-premises-exchange-server-with-windows-server-essentials
Don´t know yet. I have to talk to my customer. Small business owner, quite complicated 😅
Good luck. Two things to cover the upgrade and the modified environment if going virtual.
Best of luck.
I managed to upgrade at another customer from SBS 2008 with Essentials 2019, but there I could sell Exchange online.
It´s not easy to sell cloud to small businesses in Germany. 🤔
In this case I have to move from Xen server to Vmware, but I think it will work.
ASKER CERTIFIED SOLUTION
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Do I need a licence for the temp Exchange 2013?
>In my not so humble opinion keeping Exchange on-premises is best. What's the point of putting our data on someone else's computer?      
So M$ has a steady income stream.
When you dance with the devil,expect your toes to be stepped on.

Exchange 2013 I think is a paper license,so no time bombs.                           
Often, if you have the newer exchange as a VLCS license, you have access to the prior version as well.
No license needed for the Temp Server and Exchange. The migration should happen well within the trial period for both.