none
Windows Server 2016 CertSrv not created and missing

    Question

  • Hallo,

    I have a problem on a Windows 2016 DC. I installed the IIS and after this the PKI and the rolls: Web Enrollment service and Network Device Enrollment Service.

    The CA installed without any error, also the Network Device Enrollment service. The Web Enrollment Service was installed and configured but the virtual directory CertSrv is missing under the IIS. The Network Enrollment service works, but the Web Enrollment doesn't because the virtual directory is missing. The IIS shows only under the Default Website the "CertEnroll" but no CertSRV entry.

    I tried this now 2 times install/deinstall, but the virtual directory was not installed. Is this a bug in Server 2016 and how do manually create the virtual "CertSRV" dir.

    The util certutil -vroot will not work. If I run the tool the output looks like: virtual directory exists ..... The tool runs for 100% successfully.

    Any idear what I can do?

    Tuesday, February 14, 2017 10:58 PM

Answers

  • So after days of searching I got the whole thing running.

    First of all - for me it is a bug within Windows Server 2016 and the PKI installation roles, that no virtual directory "CertSrv" will be created within the Web Enrollment service. See my first post that I have done everything, but the virtual directory will nt be created during role installation and at the end of the installation process the configuration steps. For me it's a bug until someone can show me the difference or a reason why this directory was not created as it should be.

    Here are the steps that were necessary to run the Web Enrollment service successfully:

         

    Error fix 1:

    1. Go into the IIS and select "Default Web Site". In the middle of the page under section "IIS" click an "ASP" and scroll down to: "enable Parent Paths" and set this to "True". This must be done, because the "C:\Windows\System32\certsrv" directory include the "certdat.inc" file. The configuration of this file are using relative paths and if you do not enable the above settings in IIS you will get the known error "ASP 0131 (see logfiles)"

          

    Error fix 2:

    We must use SSL for the certsrv to run 100% so we need to bind the SSL to IIS. If you do not have created a certificate for the IIS you have to do this now.

    Go to the TOP of your IIS

    Select your IIS (blue selected entry) and click in the middle of the page under section "IIS" on "Certificates" and select your certificate (if you have one) or on the right site click on "create Domaen certificate". After the certificate was created through your CA make shure that the certificate was created with the extension: "Serverauthentifizierung (1.3.6.1.5.5.7.3.1)". If this entry is missing you can not use the certificate and you have to issue a new one.

    Now we have to bind the IIS for using SSL and port 443.
    Go to your "Default Web Site" and on the right site click on "Bindings...". Double click on "https" - select the above created certificate and close the window with "Ok". Ready - IIS will now work with https/SSL.

             

    Error fix 3:

    The missing "CertSrv" virtual directory.

    Prerequisite - before this step you have installed the "Web Enrollment role" on your server. The directory (in my case German): "C:\Windows\System32\certsrv\de-DE" exists on your server. If not - install this role with the Server Manager (I know the virtual directory will not be installed during this process, but we need the files, security and dirs).

    Select the "Default Web Site" - right click and choose: "Add application". For the alias we take "CertSrv", for the "Application Pool" we choose "DefaultAppPool" and for the path we use our "C:\Windows\System32\certsrv\de-DE" or en-EN or what else. For the "Connect as" we choose " "Pass-Through Authentification". Save the entries. Ready - the virtual directory was created.

    If you installed before the "Network Device Enrollment Service" you will notice that under the newly created "CertSrv" entry also the both missing network entries will show up: "mscep" and "mscep_admin".

    At next we have to configure the authentification for the "CerSrv". This is another bug from microsoft, because many users get a 404 or 500 error, when they try to access: "https://your_server/CertSrv".

    Now we fix this error.

                     

    Error fix 4:

    404 or 500 error when you try to call: "https://your_server/CertSrv"

    We select our "CertSrv" entry:

    and in the middle under the section: IIS we click on "Authentification". We see two activated entries: "Anonymous Authentification" and "Windows-Authentification".

    First of all we disable "Anonymous Authentification". Why? If this entry is activated a administrator will not be able to choose from a wide range of certification templates within the Web-URL. The administrator will not be able to choose from extended templates. The link will not show up.

    Second we take a look at the "Windows-.Authentification" entry, because here we find one point of the 404/500 error. Click on "Windows-Authentification" and select from the right site "Providers". Move the "NTLM" to the first place. Save the setting - our 404/500 error should be fixed and the authentification should work.

                  

    Error fix 5:

    We change the account under the "CertSrv" is running.

    Click on the "CertSrv" entry and on the right site select: "Advanced settings". Change the entry: "Physical Path Credentials Logon Type" from "ClearText" to "Network".

                   

    Restart you IIS and your CertSrv should be running.
    BTW: The Administrator Account must be a member of the IIS_IUSER Group.

                      

    If I had forgotten to tell here something I will add this later.







    • Edited by Purecut Thursday, February 16, 2017 4:22 PM
    • Marked as answer by Purecut Thursday, February 16, 2017 4:28 PM
    Thursday, February 16, 2017 4:11 PM

All replies

  • You might try installing on a member server as a test. IIS on a DC is going to be problematic.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, February 14, 2017 11:11 PM
  • Hi Dave,

    thanks for your reply, but this is my test environment and I do not have a member server by now. Have you installed the PKI and can you make some screenshots of the settings from the certSRV virtual directory to create it manually?

    Tuesday, February 14, 2017 11:40 PM
  • Then I don't think it is going to work as the roles are conflicting.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, February 14, 2017 11:43 PM
  • So after days of searching I got the whole thing running.

    First of all - for me it is a bug within Windows Server 2016 and the PKI installation roles, that no virtual directory "CertSrv" will be created within the Web Enrollment service. See my first post that I have done everything, but the virtual directory will nt be created during role installation and at the end of the installation process the configuration steps. For me it's a bug until someone can show me the difference or a reason why this directory was not created as it should be.

    Here are the steps that were necessary to run the Web Enrollment service successfully:

         

    Error fix 1:

    1. Go into the IIS and select "Default Web Site". In the middle of the page under section "IIS" click an "ASP" and scroll down to: "enable Parent Paths" and set this to "True". This must be done, because the "C:\Windows\System32\certsrv" directory include the "certdat.inc" file. The configuration of this file are using relative paths and if you do not enable the above settings in IIS you will get the known error "ASP 0131 (see logfiles)"

          

    Error fix 2:

    We must use SSL for the certsrv to run 100% so we need to bind the SSL to IIS. If you do not have created a certificate for the IIS you have to do this now.

    Go to the TOP of your IIS

    Select your IIS (blue selected entry) and click in the middle of the page under section "IIS" on "Certificates" and select your certificate (if you have one) or on the right site click on "create Domaen certificate". After the certificate was created through your CA make shure that the certificate was created with the extension: "Serverauthentifizierung (1.3.6.1.5.5.7.3.1)". If this entry is missing you can not use the certificate and you have to issue a new one.

    Now we have to bind the IIS for using SSL and port 443.
    Go to your "Default Web Site" and on the right site click on "Bindings...". Double click on "https" - select the above created certificate and close the window with "Ok". Ready - IIS will now work with https/SSL.

             

    Error fix 3:

    The missing "CertSrv" virtual directory.

    Prerequisite - before this step you have installed the "Web Enrollment role" on your server. The directory (in my case German): "C:\Windows\System32\certsrv\de-DE" exists on your server. If not - install this role with the Server Manager (I know the virtual directory will not be installed during this process, but we need the files, security and dirs).

    Select the "Default Web Site" - right click and choose: "Add application". For the alias we take "CertSrv", for the "Application Pool" we choose "DefaultAppPool" and for the path we use our "C:\Windows\System32\certsrv\de-DE" or en-EN or what else. For the "Connect as" we choose " "Pass-Through Authentification". Save the entries. Ready - the virtual directory was created.

    If you installed before the "Network Device Enrollment Service" you will notice that under the newly created "CertSrv" entry also the both missing network entries will show up: "mscep" and "mscep_admin".

    At next we have to configure the authentification for the "CerSrv". This is another bug from microsoft, because many users get a 404 or 500 error, when they try to access: "https://your_server/CertSrv".

    Now we fix this error.

                     

    Error fix 4:

    404 or 500 error when you try to call: "https://your_server/CertSrv"

    We select our "CertSrv" entry:

    and in the middle under the section: IIS we click on "Authentification". We see two activated entries: "Anonymous Authentification" and "Windows-Authentification".

    First of all we disable "Anonymous Authentification". Why? If this entry is activated a administrator will not be able to choose from a wide range of certification templates within the Web-URL. The administrator will not be able to choose from extended templates. The link will not show up.

    Second we take a look at the "Windows-.Authentification" entry, because here we find one point of the 404/500 error. Click on "Windows-Authentification" and select from the right site "Providers". Move the "NTLM" to the first place. Save the setting - our 404/500 error should be fixed and the authentification should work.

                  

    Error fix 5:

    We change the account under the "CertSrv" is running.

    Click on the "CertSrv" entry and on the right site select: "Advanced settings". Change the entry: "Physical Path Credentials Logon Type" from "ClearText" to "Network".

                   

    Restart you IIS and your CertSrv should be running.
    BTW: The Administrator Account must be a member of the IIS_IUSER Group.

                      

    If I had forgotten to tell here something I will add this later.







    • Edited by Purecut Thursday, February 16, 2017 4:22 PM
    • Marked as answer by Purecut Thursday, February 16, 2017 4:28 PM
    Thursday, February 16, 2017 4:11 PM
  • for me it is a bug within Windows Server 2016 and the PKI installation roles,

    Glad to hear you have a work-around but the fact remains that installing IIS on a domain controller is unsupported.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, February 16, 2017 4:18 PM
  • "Glad to hear you have a work-around but the fact remains that installing IIS on a domain controller is unsupported."

    Where is that written...


    • Edited by Purecut Thursday, February 16, 2017 4:30 PM
    Thursday, February 16, 2017 4:28 PM
  • Where is that written...


    These ones might help.

    https://technet.microsoft.com/en-us/library/jj635855%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    https://blogs.technet.microsoft.com/abizerh/2009/07/16/should-iis-be-installed-on-domain-controller/

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, February 16, 2017 4:32 PM
  • Where is that written...


    These ones might help.

    https://technet.microsoft.com/en-us/library/jj635855%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    https://blogs.technet.microsoft.com/abizerh/2009/07/16/should-iis-be-installed-on-domain-controller/

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    This might be right, but in my case I only need it for PKI and thats it. Everything else is disabled or filtered. Everything is good. And BTW: Moost of the errors are also coming up, if IIS was installed on a separated server (Authentification error, Error ASP 0131..) These are error that the role installer not fixed. And this is not a workaround.


    • Edited by Purecut Thursday, February 16, 2017 4:53 PM
    Thursday, February 16, 2017 4:52 PM
  • And this is not a workaround.

    Sadly the fact remains, unsupported.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, February 16, 2017 4:54 PM
  • And this is not a workaround.

    Sadly the fact remains, unsupported.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    And I got the solution. IIS on DC remains: "not recommended" and not unsupported.
    Thursday, February 16, 2017 4:58 PM
  • This fixed my issues on a Windows Server 2016 NDES server (standalone). My environment had a standalone Domain Controller and CA server as well. It does seem to be a bug with Windows Server 2016 - installing the Web Enrollment and NDES role on the same box. The Certsrv IIS virtual directory was missing. Thanks for the workaround!
    Thursday, October 4, 2018 3:49 PM