CertSrv HTTP Authentication Windows Server 2008 R2


  • Hi,

    I'm new to this forum so i apologize if this thread is in the wrong section.

    I have AD CS Installed on a member server of my Domain, I've got it all configured as a Standalone root Certificate Authority with Web Enrollment installed. I've got AD CS installed primarily for the purpose of using certificates for my IKEv2 VPN which I've got working properly.

    The problem I'm having is that, I'm trying to add HTTPS bindings to Certsrv and CertEnrol because I want to request a Web Browser certificate.

    When I have gone to https://MyIP/certsrv obviously no page can not be displayed because I haven't got any bindings.

    However when i go to http://MYIP/certsrv and click on Request Certificate then Web Browser Certificate I receive the error message "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS Authentication."

    I understand I need to configure the authentication. However when I try to add the SSL Bindings to my default website which has the Certsrv and CertEnrol sub sites i receive the error "The binding is already being used by a product other than IIS. If you continue you might overwrite the existing certificate for this IP Address:Port combination. Do you want to use this binding anyway?"

    I've run the following commands in command prompt.

    netstat -an | find ":443" | find "LISTENING"

    netstat -anb

    The results were:

    netstat -an | find ":443" | find "LISTENING"


    TCP     [::]:443           [::]:0           LISTENING

    netstat -anb


    Can not obtain ownership information.

    Could it be that I have RRAS setup on the same server?

    Is there a way I can fix this and not affect my VPN/RRAS which is on the same server as ADCS?





    4 февраля 2012 г. 10:44


Все ответы

  • you can create HTTPS binding for another port (say, 444). And when you will access web site you will type something like this: https://MyIP:444/certsrv


    My weblog:
    PowerShell PKI Module:
    Windows PKI reference: on TechNet wiki
    • Помечено в качестве ответа Rach09 17 февраля 2012 г. 15:17
    4 февраля 2012 г. 10:51
  • I'll try that and post updates.
    4 февраля 2012 г. 13:35
  • What product is currently using TCP:443? I typically recommend installing the CA on a dedicated machine.


    4 февраля 2012 г. 22:48
  • what you see is that another server, a different one from IIS, is using the built-in HTTP.SYS driver to listen for the :443 traffic. the server application has also configured its certificate binding. You can see the binding from the command line:

    netsh http show sslcert

    Each binding has an ApplicationID (appid) which the application uses to determine whether the binding has been configured by itself or any other application. You can find the list of common AppIDs on my blog (just ignore it is in Czech and look at the table):

    So if you try to use IIS console to change the binding, it will inform you the binding has already been configured by some other application.

    But both IIS and the other application can shere the common binding. So the only problem is to make the binding with a correct certificate that would be valid for both applications. You can change the binding then either by using the IIS console, the other application configuration tool or by using the NETSH HTTP context.

    Just note, that even the other application may complain that the binding is incorrect if it does not see if has its own AppID. You may usually safelly ignore such warnings if you know what you are doing.



    5 февраля 2012 г. 13:47
  • I've fixed it. I think.

    All I did was just bind port 443 to the internal IP Address on my CA/VPN Server for now.

    Thanks anyway.

    17 февраля 2012 г. 15:16