ADCS Web Enrollment across trusted domains
-
Thursday, February 07, 2013 5:34 PM
Domain A. Windows 2008 R2
PKI in Domain A
CA Web Enrollment installed in Member sever of Domain A
Users in Domain A are able to request certificates through CA Web Enrollment
Domain B. Windows 2003
Users in Domain B can access the CA Web Enrollment in domain A, but when submit the request error occurs:
Error
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
-
- Request Mode:
- newreq <locid id="locModeSpacer"></locid>-</locid><//locid> <locid id="locModeNewReqIE"></locid>New Request</locid><//locid>
- Dislocid id="locDispNeverSet"></locid>(never set)</locid><//locid> <!-- -->
- Disposition message:
- <locid id="locDispMsgNone"></locid>(none)</locid><//locid>
- Result:
- The RPC server is unavailable. 0x800706ba (WIN32: 1722)
- COM Error Info:
- CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
- LastStatus:
- The operation completed successfully. 0x0 (WIN32: 0)
- Suggested Cause:
-
<locid id="locSugCauseNotStarted1"></locid>This error can occur if the Certification Authority Service has not been started.
What are the right places where access rights must be granted to the users of Domain B in order to work across bi directional trusted domains??
Local IIS ??
Local CA Groups ??
Certificate Template ??
Certificate DCOM Global Group in AD ??
Thanks
JOSELITO
- Edited by Jose Gonzalez Jimenez Thursday, February 07, 2013 5:38 PM
- Edited by Jose Gonzalez Jimenez Thursday, February 07, 2013 5:39 PM
- Edited by Jose Gonzalez Jimenez Thursday, February 07, 2013 5:42 PM
-
All Replies
-
Thursday, February 07, 2013 10:51 PMModerator
That method for enrolling in your situation with those Windows Server 2003 clients will not work any longer. See AD CS: Web Enrollment: http://technet.microsoft.com/library/cc732517.aspx and http://support.microsoft.com/kb/922706.
You can also implement Certificate Enrollment Web Services
but you will need a client for your Windows XP and Windows Server 2003 systems, which is not provided by Microsoft. However, Brian Komar and Zeva worked to develop one for that purpose. You can see http://www.komarconsulting.com/Pages/default.aspx for more information on that.
That is where this situation sits right now. You should seriously consider moving that other domain forward to more recent OS versions.
- Proposed As Answer by LutzMH Friday, February 08, 2013 12:59 AM
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, February 25, 2013 9:33 AM
-
Saturday, February 09, 2013 7:38 PM
Thanks Kurt:
I know this will not work if my client is using WXP for user enrollment.
But I just want to provide to Web Admins , a web enrollment environment in order to submit a CSR for a separate Web Server for approval, and collect the isssued certificate , not for personal enrollment.
So it looks just question of rights, but again, where??
Regards
JOSELITO
-
Monday, February 11, 2013 11:44 PMModerator
Windows Server 2003 also has the same issue as Windows XP. Look at KB article: 922706 - they depricated the feature you are trying to use.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, February 25, 2013 9:33 AM
.png)
