Thursday, May 03, 2012 7:43 PM
This seems to be a common problem, but without a common solution. I have stood up a Server 2008 R2 SP1 member server in my domain and installed the certificate services and web enrollment components. Auto enrollment works fine, but the web enrollment portion is giving me the error that no certificate templates could be found. This is an Enterprise CA and we have created custom templates for about half of our active templates, but none of the templates appear to be visible to the web enrollment process. I need to issue certificates to systems that are in a different domain, and I cannot find a way to do that with out the web enrollment service. Does the Web enrollment process require special configuration to get it to work?
I have tried changing application pools so I could change to the Network service, and I have tried adding security settings to give the CA computer account read / enroll permissions on a template or two. It does not seem to matter how the template subject matter tab is configured either.
Any help would be appreciated.
Thursday, May 03, 2012 9:35 PMOne new piece of information I have discovered. When I run certutil.exe -CATemplates (Case senstative), I see all of the templates, but they are marked as access denied. As a domain admin / Enterprise admin I see that I have read / Write / Enroll, so I am not sure why I get access denied.
Friday, May 04, 2012 7:54 AMModerator
Please try to perform the following steps:
1. Disable Anonymous Authentication and enable Windows Authentication, so the template permission information map to the current logged user credential.
2. Remove and add the configured Template from the CA Snap
Certificate Template -> Select and Deleted the Template -> right click on "Certificate Template" -> New -> "Certificate Template to Issue". added back the configured template.
Hope this helps!
TechNet Community Support
Friday, May 04, 2012 1:31 PM
The CertSrv folder was already set with Anonymous disabled and Windows Authentication enabled. You didn't speciify where you want this set, so I checked the Default Web Site and it was not this way, so I set the default web site to use Windows Authentication and disabled anonymous authentication. This didn't fix it or change the behavior in any way that I can see.
Prior to making the above change, I took a network trace with NETMON and confirmed that the computer account for my CA is accessing the configuration container in AD and not my account. When I look at the IIS logs, I see that my account was referenced as the account accessing each page, so I am not sure why pass through is not working. It is a Kerberos authentication, but I am not sure if I need to do something else so that the pass through to AD can be facilitated (some kind of trusted for delegation setting that I have over looked?).
What I see in the network trace is that the computer account logs in using Kerberos. A connection is then made to LDAP. The CA searches the Certificate Templates container and obtains a list of available templates (appears to return them all). The CA than goes through a series of queries for each template in the list. Every query returns no data but is reported successful. My credentials do not appear to have been passed to the server during that exchange.
So I think you are right that the CA is using the machine credentials instead of mine, but I believe IIS is set up correctly to authenticate me to the web site using my credentials. For some reason the CA does not use my credentials to reach back to Active Directory. I don’t know how to affect this behavior within the configuration of the web enrollment process.
- Edited by Oldguard Friday, May 04, 2012 1:32 PM
Friday, May 04, 2012 2:16 PMI have tried recreating templates and creating new templates. I have tried changing settings within templates including changes that affect the subject and the exportability of the private key. Nothing makes them visible.
Sunday, May 06, 2012 1:00 AM
By web Enrolment do you mean http://caserver/certsrv? If so this method of enrolment only supports V1 certificates. If you have only published V2 (Windows Server 2003) and V3 (Windows Server 2008) certificate types then you will not se these in the Web Enrolment (aka CA Web Enrolment). To check make sure you have a V1 certificate template available. This template should be visible in the CA Web Enrolment page.
Alternate methods of enrolment are via the Certificates MMC snap-in or via "Web Services Certificate Enrolment" which is a new enrolment method introduced Windows Server 2008 R2.
- Marked As Answer by Oldguard Monday, May 07, 2012 12:35 PM
Monday, May 07, 2012 4:07 PM
That has to be what it is... I was converting everything over to V3 copies before adding them. Since I have no Version 2 or 3 templates, I guess I will see no templates in the old method. I guess I have some more reading to do... Appreciate the help.
Sunday, July 08, 2012 10:32 PMI ran into this issue lately as well. Turns out the issue in my case was the Authentication settings on a few virtual directories. Have a look at a blog post I wrote about it. Hopefully it helps you or others.