Avatar of Martin Kühn
Martin Kühn
Flag for Germany asked on

Unable to install certificate with CA on SBS 2011

At a customer´s site, who is still working with SBS 2011 I would like to set up SSTP. I am running in problems with the certificate. I used IIS to submit a request to the build in PKI but this is not accepted. I always get an error (rough translation fron German):

The request does not contain certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE).
Denied by policy module 0x80094801, The request does not contain the certificate template extension or the CertificateTemplate request attribute.

I found an article to reqest a computer certificate manually and to install with

'certreq -submit -attrib „certificateTemplate:<Name des Templates>“ c:\Pfad\<Request-Datei>.req`, but same result.

InstallationSBS

Avatar of undefined
Last Comment
Philip Elder

8/22/2022 - Mon
arnold

The Web server certificate is not valid for what you are trying to use it.

You may have to create the appropriate template using CA template mmc  on the server.
You can then use http://sbs2011/SrvEnroll to generate the certificate for SSTP.

you might be able to use certutil to do the same.

https://mihoitpro.blogspot.com/2014/11/build-stp-vpn-server-part-1-issue-ssl.html
Philip Elder

What's SSTP?

Use the Wizards. In SBS _always_ use the Wizards.
pgm554

Like the man said ,wizards.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Martin Kühn

ASKER
Using the wizard is not helpful, because it tries to build up a pptp connection, which is not an option
David Johnson, CD

1. you need a publicly trusted certificate your CA does not issue this.
2. you have to change the certificate bindings right now they are set to your gateway
SSTP8.pngSSTP7.pngSBS2011 has reached EOL Jan 14,2020

https://www.em-soft.si/myblog/elvis/?p=63
Martin Kühn

ASKER
I give up. This was the last customer running SBS and I hope to never see another again. I tried all suggested solutions and none worked. I´ll switch to Raspberry Pi with OpenVPN
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Philip Elder

What is the existing edge there?

We use SonicWALL. Anyone that needs a VPN connection we set up with an SSL VPN User ID and Password.

Are you familiar with RD Gateway?

Is HTTPS 443 port forwarded to SBS which I think it should be?

If it is, then RD Gateway gives you the ability to access any endpoint via RDP using the "Use this Gateway" setting which is the URL folks use to access the Remote Web Access portal and/or OWA.

The SBS Console shows the above settings.

EDIT: DUO for RD Gateway/Web is absolutely simple to set up and implement. It provides that layer of protection that users would otherwise get with a VPN. Which means, hit the RD Gateway, Log On, DUO Prompt, and they are in. No need to start some sort of VPN client prior.

NOTE: RD Gateway gets rid of the NETBIOS and other issues that come with VPN.
Martin Kühn

ASKER
Thanks for all the suggestions. I managed to generate the certificates last time, but then found out that SBS can only generate certificates with sha1, which are no longer trusted.
I have now established a vpn to the router using SHREW.
I really hope to see a SBS never again.😁😁
arnold

You can reconfigure the 2008 CA to use SHA256 instead of SHA1, then renew the CA's Certificate and start issuing SHA256 based certificates.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/upgrade-certification-authority-to-sha256/ba-p/1129040
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Martin Kühn

ASKER
thanks, but this will be too much action for an old OS
arnold

what do you mean?
It is a few steps thing.
Run the certutil tool to make the change.
restart the ca service.
The CA might remain SHA1 while the SSPS cert will be sha256.
with the current limit on certificates being dropped to yearly, you will have to revisit this issue yearly.

it does not seem like the client is inclined to go newer.
Potentially, if they do, they will consult you before getting new hardware and then have you fit the square peg in a round hole.

Is virtualization a go to for you?
Martin Kühn

ASKER
We are thinking about a new OS,and new hardware. Everything is more than 10 years old. 😁
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

virtualization with the new SBS, windows server essentials, is one of those considerations?
Martin Kühn

ASKER
My customer wants to keep his own exchange server. Maybe we go for Win2016, maybe with a second server for exchange both as VMs on the vmware community edition.
arnold

you could get 2019/22 vlcs and use 2016
how many users?

Are you looking to use the essential version as the AD to roll in 50 users?

https://docs.microsoft.com/en-us/windows-server-essentials/manage/integrate-an-on-premises-exchange-server-with-windows-server-essentials
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Martin Kühn

ASKER
Don´t know yet. I have to talk to my customer. Small business owner, quite complicated 😅
arnold

Good luck. Two things to cover the upgrade and the modified environment if going virtual.
Best of luck.
Martin Kühn

ASKER
I managed to upgrade at another customer from SBS 2008 with Essentials 2019, but there I could sell Exchange online.
It´s not easy to sell cloud to small businesses in Germany. 🤔
In this case I have to move from Xen server to Vmware, but I think it will work.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Philip Elder

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Martin Kühn

ASKER
Do I need a licence for the temp Exchange 2013?
pgm554

>In my not so humble opinion keeping Exchange on-premises is best. What's the point of putting our data on someone else's computer?      
So M$ has a steady income stream.
When you dance with the devil,expect your toes to be stepped on.

Exchange 2013 I think is a paper license,so no time bombs.                           
arnold

Often, if you have the newer exchange as a VLCS license, you have access to the prior version as well.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Philip Elder

No license needed for the Temp Server and Exchange. The migration should happen well within the trial period for both.