none
The certificate enrollment page you are attempting to access cannot be used with this version of Windows

    General discussion

  • Greetings: I have CA on windows 2003 r2 sp2, with all the latest hotfixes/updates. Now when windows 2008 r2 sp1 servers are trying to get certificates i am getting error msg( see below). I am installed confirmed the update is installed , but still i am getting this error,what am i missing... This happens for windows 7 sp1 machines too. works fine for 2003, xp machine

    The certificate enrollment page you are attempting to access cannot be used with this version of Windows. To enable Web certificate enrollment for clients running Windows Vista, your administrator must update all Windows CA Web enrollment pages. To learn more about this issue and the steps needed to update Web enrollment pages to support all versions of Windows, see:

    http://support.microsoft.com/kb/922706

    Thanks

    Sam

    Wednesday, October 12, 2011 5:20 PM

All replies

  • As per mentioned KB:

    The security update 2518295 MS11-051: Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011 is a security update that fixes security vulnerabilities in Active Directory certification authority (CA) Web enrollment ASP pages. It also includes fixes for the issues fixed in 922706. Security update MS11-051 replaces the fix in 922706 and we advise customers to install the security update 2518295 instead of this hotfix 922706. This security update can only be installed if you have a certification authority (CA) installed and configured for web enrollment.

    2518295 (http://support.microsoft.com/kb/2518295/ ) MS11-051: Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011

    You need to install this update: http://support.microsoft.com/kb/2518295


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, October 12, 2011 5:38 PM
  • i did a quick look on the windows 2003 machine wmic qfe list |findstr /i /c:"295", i see KB2518295 is installed.

    Security Update for Windows Server 2003 (KB2518295)          Update        KB2518295

    is there anyother hotfix that should not be there and is there on the 2003 machine. ?

    Wednesday, October 12, 2011 6:08 PM
  • As far as I know, there are no known issues with the update.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, October 12, 2011 6:30 PM
  • As far as I know, there are no known issues with the update.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    I am having the same problem. I have installed from the exe file:
    WindowsServer2003-KB2518295-x86-ENU.exe 

    Also I had to manually edit one of the cert*.asp files and remove these lines:

    7: <!-- #include FILE=certcert.in -->

    205: <!-- #include FILE=certcnst.inc -->

    206: <!-- #include FILE=xenrprxy.inc -->

    To even be able enroll Certificates on the local machine.

    Are you sure there is no problem with the patch? I have tried to install the patch several times, updates from WindowsUpdate, rebooted and still it doesnt work.

    Tuesday, October 18, 2011 2:32 PM
  • There is nothing wrong with the patch.

    you should not have had to edit the asp pages to get enrollment working

    Brian

    Tuesday, October 18, 2011 3:11 PM
  • There is nothing wrong with the patch.

    you should not have had to edit the asp pages to get enrollment working

    Brian

    Absolutely. I fully understand that =) However, my reality is another =) Therefor I came to look for an answer.
    Tuesday, October 18, 2011 3:20 PM
  • Hi,

     

    Could You please specify the file You edited to get this working. We are having the same problem - the patch is installed, but still the problem exists...

     

    Thanks,

    Peteris

    Sunday, October 23, 2011 7:38 PM
  • Brian, I have the same problem too. So there is definitely smth wrong with the patch. I have Windows 2003 R2 x64.
    Saturday, October 29, 2011 1:39 PM
  • It seems I have found the solution. Uninstall KB2518295. Install KB 922706. Then install KB2518295.

    Saturday, October 29, 2011 2:46 PM
  • Anatolli: you are right Uninstall KB2518295. Install KB922706, then install KB2518295 . Also only installing KB922706 works.

    MS should have mentioned in the KB, the description is deceive.

    Thanks to everybody who commented 

    Sunday, October 30, 2011 3:39 AM
  • Thank you Anatolii, that worked for me also.

    I'm assuming that KB922706 could be installed by re-applying Windows 2003 SP2.

    Here is a link to KB922706 in case someone doesn't want to re-apply SP2: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26328

     

    Wednesday, November 02, 2011 6:38 PM
  • Hi everyone!

    Windows PKI team has confirmed this issue and are working on resolution. I wrote a little blog-post regarding this issue and workaround: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=53


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, November 03, 2011 9:19 AM
  • It seems I have found the solution. Uninstall KB2518295. Install KB 922706. Then install KB2518295.

    Good call Anatolii. Thanks, saved me a lot of time. KB2518295 is in the "Software Updates for Windows Server 2003" section and is labelled as a "Security update for Windows Server 2003" in case anyone is going blind looking for it. Or you could just install "MyUninstaller" which has a search facility in it.

    Certificate Server functionality only broke for me in the last few days (May 2012), even though I had kept the server relatively up-to-date and Anatolii's solution fixed it with very little fuss. Took a while to find this thread though. I was experiencing IIS 500 Internal Server Error when I browsed to the certrqma.asp page. Previous .asp pages leading to this one were ok. Once I turned "Show Friendly HTTP error messages off" (BTW Microsoft, awful Spanish translation for that option: 'Mostrar mensajes de error HTTP descriptivos' - it means just about the opposite and is counter-intuitive, but don't get me started on some of your hilarious translations) in MSIE I got the missing certcnst.inc file error, which lead me to this thread.

    Thanks again people.

    Saturday, May 12, 2012 2:27 PM