none
HowTo request and install manually a certificate on Windows Server Core

    Question

  • Hello,

    I have a strange problem on a new Windows Server 2008 R2 Core Domaincontroller. Here I have a Windows Server 2003 R2 Forest with one other Windows Server 2003 R2 Domaincontroller and a Windows Server 2003 R2 domain member with AD CA. The old Domaincontroller should be migrated to a new one.

    The usage of dcpromo for the new Domain Controller on a Windows Server 2008 R2 Core Edition was without error messages.

    At the moment the new domaincontroller have installed DNS, WINS, DHCP, DFS, a little bit file server addons and Print Server Roles. At the moment only DHCP and print server isn't finally configurated.

     After several restarts I found a new log message:

    Event Details
    Product:  Windows Operating System 
    ID:  29 
    Source:  Microsoft-Windows-Kerberos-Key-Distribution-Center 
    Version:  6.0 
    Symbolic Name:  KDCEVENT_MISSING_KDC_CERTIFICATE 
    Message:  The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. 
    

    I took a look in the local computer certificate store. There were only two certificates: IPSec and Computer. Domaincontroller was missing.


    In the GPO Domaincontroller Policy I had already activated automatic certificate request. After some searching I tried also a reset of the  CERTSVC_DCOM_ACCESS Group, but it didn't work. Also after several restarts of the Domaincontroller: no domaincontroller certificate...


    Therefore my question: How I'm able to install manually the domaincontroller certificate?

    Normally I would open mmc, load the certificate snap-in, choose local Computer, move to my certificates (of the computer) and request with a right mouse click a new certificate, but mmc isn't available in Windows Server Core.
    Open a remote session of the same snap-in don't show the request option.


    Additionally I don't know why there is no automatic domaincontroller certificate request and installation. All server are reachable (ping, nslookup, file share, web server, ...). Other manual or automatic certificate requests are successfull (Windows Server and Windows Client). In the event viewer I found no error message with further information.


    regards, Reisenhofer Andreas
    Friday, November 06, 2009 10:47 PM

Answers

All replies

  • Some additonal information. I found two possible solutions:

    a.) using of remote mmc to generate a certifcate request and send that with remote mmc to CA

    b.) using of certreq.exe, reqdccert.vbs and XX-req.bat to generate the request and get the certificate fromt the CA


    Both solutions supply the same error message from CA: Der DNS-Name ist nicht verfügbar und kann dem Subjektalternativnamen nicht hinzugefügt werden. 0x8009480f (-2146875377).

    english translation: The DNS-Name is not available and cannot be added to the subject alternativ name.


    I don't know what that mean? It seams to me that the DC loose the authorization to get a certificate. As domain member there were no problem.


    Did somebody know further helpful tips?
    regards, Reisenhofer Andreas
    Sunday, November 08, 2009 1:44 PM
  • Hi,

     

    The error 0x8009480f occurs because the certificate template is configured to build the subject name from AD information. With the option “Build form this Active Directory information”, the CA will try to impersonate the person making the request and then check the account for the DNS name. Based on my understanding, we need to run the command in system context to request a computer certificate. If we run it in the user context, the request will fail with "DNS name is unavailable..." error.

     

    Normally, domain controller should be able to request a domain controller certificate by using autoenrollment. To troubleshoot the issue, please run gpupdate /force on the Windows Server 2008 R2 Core and check if there is any certificateServicesClient-CertEnroll warning /error logged in the Application event (Event Viewer\Windows Logs\Application). If it has, please let me know the description of the events for research.

     

    I look forward to your response.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 09, 2009 8:56 AM
    Moderator
  • Hi,

    Thank you for your answer and the explanation for the 0x8009480f error.

    Yes you are right - normally there should be an autoenrollment. However I run gpupdate /force on the Windows Server 2008 R2 Core and found only CertificateServicesClient-CertEnroll Information entries (event id 64 and 65), no CertificateServicesClient-AutoEnrollment entries and no new domaincontroller certificate.


    regards, Reisenhofer Andreas
    Monday, November 09, 2009 11:05 AM
  • Hi,

    Please run the following commands on the server and export the output to me for research:

    certutil –dcinfo verify > dcinfo.txt
    gpresult /z > gpresult.txt

    After that, please upload the files to the following space:

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=f8d2cf43-d12b-4c56-bb6e-255b55dd51a8
    Password: f@Kedi7D]s%2

    Note: Please also let me know the computer name of the Windows Server 2008 R2 Core computer.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, November 10, 2009 6:54 AM
    Moderator
  • Hi,

    I finished the upload of both files in one ZIP file. It is called with the computer name. Do you need any further information?
    regards, Reisenhofer Andreas
    Tuesday, November 10, 2009 10:12 AM
  • Hi,

     

    Thanks for the information.

     

    I’ve checked the files. Unfortunately, I can only confirm that there is no KDC certificate installed on DC03 for the information is not displayed in English.

     

    Based on the current situation, please help capture the network traffic for further research:

     

    1.    Please install Netmon 3.3 on the DC03 and the CA Black***** Zert*******:

    Microsoft Network Monitor 3.3
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

    2.    Right-click the Netmon icon and select Run as Administrator to launch NetMon3.3 on both machines.

         3.  In the Microsoft Network Monitor 3.3 window, click Create a new capture tab.

         4.  In the new tab, select all the Network Adapters in the Select Networks window.

    5.    Press F10 to start NetMon.

    6.    Run the command gpupdate /force on DC03.

    7.    After you see the message “Policy update has completed successfully”, please wait around 1 minute and then go back to the NetMon window and press F11 to stop the NetMon on both machines.

    8.    Press Ctrl+S to save the Netmon files.

    9.    Please upload the netmon files and Application log (DC03) to the space.

     

    In addition, please perform the following steps to check if we can manually request a domaincontroller certificate from CA:

     

    1.    Open Notepad on DC03, copy the following sample text and save as a .inf file (request.inf for example):

    [Version]
    Signature="$Windows NT$
     
    [NewRequest]
    Subject = "CN=FQDN of DC03" ; FQDN here
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [RequestAttributes]
    CertificateTemplate=DomainController

    2.    Run the command certreq –new request.inf request.req on DC03, press Enter.

    3.    Donwload PsTools from the following link in order that we can request the certificate by using the system context:

    http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

    4.    Extract the file, open Command Prompt and run psexec –s cmd.exe on DC03, press Enter.

    5.    Run the command certreq –submit –config CAServerName\CertificationAuthorityName request.req on DC03, press Enter.

    If the output is “Certificate retrieved(Issued) Issued”, then we can confirm that it is able to manually request a domaincontroller certificate from CA.


    I look forward to your response.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, November 11, 2009 9:14 AM
    Moderator
  • Hi,

    How's everything going? I've not heard back from you in a few days and wanted to check the current status of the issue. If there is anything unclear, pleaes feel free to respond back.

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 16, 2009 2:33 AM
    Moderator
  • Hi,

    There were less time to write an answer. However I tried several tasks which need time to try and I found a solution for manual request a valid certificate.

    I didn't tried Netmon until now. I started with your second suggestion to test a manually request. I wanted to know if the CA is working. I looked for psexec, created the request.inf file, converted it to request.req file, used cmd to run "psexec -s cmd.exe" and wanted to run the command "certreq –submit –config CAServerName\CertificationAuthorityName request.req", but without any response. Also after a hour, there was no output like "Certificate retrieved(Issued) Issued" or a failure message. Nothing...

    So I used Strg + C to cancel and tried it again. The same as before. The program certreq is started, but no response. It looked like certreq is waiting for an input and didn't show it. Therefore I used Taskmanager to kill all open certreq.exe Tasks and searched for psexec details.

    There was one parameter missing. The complete parameter is "psexec -s -i cmd.exe".
    -s = to start as SYSTEM user
    -i = to see all requests of SYSTEM user

    So I was able to finish successfully a certificate request and got a request.cer file - no private certificate - therefore I was not able to use it, but with that new information and your Tipp with the psexec tool, I was able to finish successfully the request and import of a valid KDC certificate. More details in an extra post...

    Additional to the second suggestion and the psexec Tool: without the "-i" parameter I don't get the extra window for the save dialog of the *.cer file.


    edit: I'm not sure, but I think there is no need to use Netmon? I will wait one year and look if DC03 will try an automatic renew of the certificate.

    Thank you for your last answer and the Tipp to use psexec Tool!


    regards, Reisenhofer Andreas
    Monday, November 16, 2009 7:57 AM
  • How to get a valid KDC certificate:


    You need the following Tools:

    psexec => http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
    reqdccert.vbs => http://technet.microsoft.com/en-us/library/cc775547(WS.10).aspx
    certcli.dll => Windows Server 2003 Administration Tools Pack or also sometimes included in Windows
    certutil.exe => Windows Server 2003 Administration Tools Pack or also sometimes included in Windows
    certreq.exe => included in Windows
    certadm.dll => included in Windows


    Tasks to get the certificate:

    1.) run psexec -s -i cmd.exe
    2.) use only the new window for the following tasks...
    3.) cscript reqdccert.vbs DomainController A
    4.) CERTREQ -new <dcname>.inf <dcname>.req
    5.) run <dcname>-req.bat file
    6.) save the <dcname>.cer file
    7.) CERTREQ -ACCEPT <dcname>.cer

    8.) with <dcname>-vfy.bat you are able to verify the certification store



    The procedure is based on http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx, but have some differences.
    regards, Reisenhofer Andreas
    Monday, November 16, 2009 8:31 AM
  • Hi,

    Glad that the information is helpful and thank you for your sharing. If you need further assistance in the future, please feel free to post in our forum.

    Have a nice day.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, November 17, 2009 1:10 AM
    Moderator