none
Unable to download in PKIView for http location

    Question

  • Hi All,

    I have installed 1 tier server 2012 PKI using AD CS wizard as an enterprise root ca

    Everything went OK without any issue, however when I go to PKIview.msc I get the “Unable to download for all http:// locations.

    In the setup I have copied the .crt file and .crl to a web server and in the post and pre installation files I specify the correct location.

    When I copy the URL from PKIview.msc I can browse the address with no issue.

    Hereby my settings -> http://tinypic.com/r/rmofh0/5

    Iis settings -> http://tinypic.com/r/98afk3/5

    double escape is enabled, browse directory is enabled

    Why pkiview.msc report unable to download i can browse to it

    proof i can browse to the CRL location with IE -> http://tinypic.com/r/1zvbdb5/5
    Wednesday, October 30, 2013 7:15 PM

Answers

  • Can you install Windows resource kit on 2003 on any 2003 server & check. There is a bug on 2008 IIS 7.

    See this http://blogs.technet.com/b/pki/archive/2008/02/25/how-to-avoid-delta-crl-download-errors-on-windows-server-2008-with-iis7.aspx

     There is different location for appcmd of 32 bit & 64 bit and that I forgot the location. You can see the status is ok from 2003. Same issue I had when I can see all ok from 2003 ; I have not done anything on 2008 IIS coz I don't have any issue other than pkiview.msc on 2008/2008R2.

    -Biswajit

     

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Saturday, November 16, 2013 4:38 PM

All replies

  • Make sure if anonymous authentication is enabled on web site and vritual directory.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, October 30, 2013 7:45 PM
  • Default web site -> anonymous is enabled
     virtual directory -> anonymous is enabled

    i can correctly browse to it see last screenshot

    Wednesday, October 30, 2013 7:59 PM
  • When i run

    certutil -URL http://pki.contoso.com/pki/contoso-dc-ca1.crl

    i get error

    Error retrieving URL: This network connection does not exist. 0x800708ca (win32: 2250)

    I can succesfully browse to the site!

    whats wrong?

    Thursday, October 31, 2013 9:45 AM
  • Hi,

    Please check out if the certutil/CA authentication is denied access to the local webserver?

    How about modifing the dns record for the crl site to point the other server, try to use another web server to host the CRL-file?

    Regards,

    Yan Li


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.


    Monday, November 04, 2013 7:36 AM
    Moderator
  • Also you can create a folder called CDP into WWWroot. Copy the CRLs & CRT into that folder. map that from IIS manager with ADD virtual directory. Add the new path from extension tab.like

    http://pki.contoso.net/CDP/<caname>.crl

    Publish the CRL & Delta CRL from CertSVC console. run certutil -crl.

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided &quot;AS IS&quot; with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    • Edited by i.biswajith Monday, November 04, 2013 9:13 AM
    Monday, November 04, 2013 9:12 AM
  • Created a CDP folder in wwwroot on the DomainController (which has IIS installed) and pointed the Virtual Dir to it and placed the crl crt in it, still same error with pkiview.msc

    So then created CDP folder on my Sharepoint server , placed the crl and crt and created virtual dir to it. Changed DNS pki.contoso.com to the sharepoint server instead of the DomainController (which also has IIS installed) and now pkiview.msc give all OK and no errors anymore.

    So problem fixed but question remains why it doesnt work if all configured on the domaincontroller (even if i give everyone full control on the CDP folder)

    Tuesday, November 12, 2013 2:01 PM
  • Can you install Windows resource kit on 2003 on any 2003 server & check. There is a bug on 2008 IIS 7.

    See this http://blogs.technet.com/b/pki/archive/2008/02/25/how-to-avoid-delta-crl-download-errors-on-windows-server-2008-with-iis7.aspx

     There is different location for appcmd of 32 bit & 64 bit and that I forgot the location. You can see the status is ok from 2003. Same issue I had when I can see all ok from 2003 ; I have not done anything on 2008 IIS coz I don't have any issue other than pkiview.msc on 2008/2008R2.

    -Biswajit

     

    Best regards Biswajit Biswas Disclaimer: This posting is provided &quot;AS IS&quot; with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Saturday, November 16, 2013 4:38 PM