locked
Problem using NAP_802.1X_StepByStep.doc obtain certificate for NPS1 RRS feed

  • Question

  • I am using RC0 release of Windows 2008. I could not find UI for "Request New Certificate" using Certificate Request Wizard. However I found it under All task ->Advanced Operations... -> Create a custom Request. This will generate a request file. I use the computer template but leave the rest as default.

    The problem is when I open this request file at the CA using "submit new request". It responded with the following error:

     

    Certificate Request Processor - The DNS name is unavailable and cannot be added to the Subject Alternate name.

    0x8009480f (-2146875377)

    Denied by Policy Module

     

    TeckSin

    Monday, October 15, 2007 6:01 AM

Answers

  • I found the problem why I could not "Request New Certificate" in Personal folder. I was logon as the local Administrator on the NPS server and the option for "Request New Certificate" was not available. Therefore I have to use "Create custom request" that I was not able to get to work.

     

    Chris, Thank for your time.

    Tuesday, October 16, 2007 3:26 AM

All replies

  •  

    Sounds like there is an issue in the environment configuration - either the machine generating the request is not putting the correct name into the certficate request, or the CA (certificate authority) is unable to validate the requesting machine's name.  The error is indicating that the policy module on the CA is preventing the request from being fulfilled.

     

    Is the NPS machine operating within a Windows Server Active Directory domain environment?  (i.e. is it a domain member?)

     

    Can you give more details on the environment in which you are trying to set this machine up?

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 15, 2007 8:58 PM
  •  

    The setup I have is very similar to the NAP_802.1X_StepByStep document. One Windows 2003 R2 SP2 Standard act as a DC, and a CA (Enterprise Root). The other one is a Window 2008 RC0 Standard using as a NPS and a DHCP server. NPS server is a member of the domain. There will be a Vista client and a cisco 3560 use in this test. The DC can ping and resolve the dns name of the NPS server

     

    In previous version of Windows I was able to use Certificate Request Wizard to directly request for a computer certificate from the CA. In Windows 2008, I can only use the Certificate Request Wizard to gererate a request file (.req). Do you think that the setup of the CA is not correctly done although I did not hit any error during the setup of the CA. I try the Web Entrollment but the Windows 2003 CA  point me to a webpage that said I need to manually update the Web enrollment component to support Vista and 2008.

     

     

    TeckSin
    Tuesday, October 16, 2007 1:41 AM
  • This is reflected in the application events in the CA.

     

    vent Type: Warning
    Event Source: CertSvc
    Event Category: None
    Event ID: 53
    Date:  10/15/2007
    Time:  5:57:46 PM
    User:  N/A
    Computer: DC1
    Description:
    Certificate Services denied request 14 because The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377).  The request was for TEST\Administrator.  Additional information: Denied by Policy Module

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Tuesday, October 16, 2007 3:06 AM
  • I found the problem why I could not "Request New Certificate" in Personal folder. I was logon as the local Administrator on the NPS server and the option for "Request New Certificate" was not available. Therefore I have to use "Create custom request" that I was not able to get to work.

     

    Chris, Thank for your time.

    Tuesday, October 16, 2007 3:26 AM
  • What the "create custome request" wizard actually does is creating a self-signed request, you can find your certificates in "Certificate Enrollement Requests" folder with the local computer as the Issuer (instead of the CA).
    The cause of the problem is that the computer have no permission to enroll a computer certificate (nor can the user, because the user is not a computer.) So, the default setting effectively prevent anything other than the system from requesting a computer certificate and the cure is simple: grant the computer the permission to enroll the cert in the "Security" settings of the CA and the Computer template.
    You should then see the computer displayed in the request new certificate wizard. Note that correct request should result in a pending request in the CA instead of a request file.
    Saturday, December 29, 2007 8:51 AM
  • Hi all,

    I got the same problem when "Request a new certificate", There is no available certificate. If I check "Show all template"
    All template are "unavailable.

    Then I try to create custom request and Submit new request in CA server.
    The request is put in "Failed Requests" and got this message
    "The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377) Denied by Policy Module"

    I had open "Computer" certificate and check the security tab.
    Domain Computer have "Enroll"
    Authenticated Users have "Read" and "Enroll"
    Domain Admin and Enterprise Admin have "Read", "Write" and "Enroll"

    Thanks for the help.
    Thursday, July 30, 2009 9:18 AM