locked
NAPIPsec-StepbyStep.doc - Problem with CA publishing new health certificate template. RRS feed

  • Question

  • I am having a problem with getting the CA to issue the new Certifcate I duplicated and published to active directory.

     

    I am using the instructions outlined in the NAPIPSec_Step-by-Step.

     

    This is the section:

     

    Publish certificate templates

    Use the following procedure to allow the CA to issue the new health certificate template.

    To publish certificate templates

    1.   Click Start, click Run, type certsrv.msc, and then press ENTER.

    2.   Open Root CA, and in the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

    3.   Click System Health Authentication, and then click OK.

    4.   Close the Certification Authority console.

     

    When I click the Certificate Template to Issue, the System Health Authentication template is not displayed in the list of selections.

     

    This DC was once a Windows 2000 DC that was upgrade to Windows 2003 with SP2.

     

    Thanks,

     

     

     

    Wednesday, September 19, 2007 1:45 AM

Answers

  •  

    Thanks Greg,

     

    Yes I did have a Windows 2003 Standard server in my lab.

    I am upgrading it now to Enterprise R2 with SP2.

     

    Thanks for the Tip,

     

    Bryant.

    Wednesday, September 19, 2007 8:10 PM

All replies

  • Hi,

     

    Please verify that the CA is running Windows Server Enterprise Edition, and not Standard Edition. You must be running Enterprise Edition to publish and issue a NAP exemption certificate, or a health certificate from this CA.

     

    If you are running Standard Edition, you can try continuing the lab and skip this step. Computers in the IPsec NAP Exemption group (NPS1) will not be autoenrolled with an exemption certificate, but I'm pretty sure this doesn't break the demonstration because the secure OU client requests a health certificate for outbound communications, but doesn't require one. Since the client initiates communication to HRA when renewing a health certificate, this is permitted.

     

    In this situation, the HRA machine is not a typical member of the boundary network. These machines usually have certificates that allow them to initiate communications to machines on the secure network if needed.

     

    -Greg

    Wednesday, September 19, 2007 9:59 AM
  •  

    Thanks Greg,

     

    Yes I did have a Windows 2003 Standard server in my lab.

    I am upgrading it now to Enterprise R2 with SP2.

     

    Thanks for the Tip,

     

    Bryant.

    Wednesday, September 19, 2007 8:10 PM