| Author |
SSL and Server Windows 2003
|
|
| zturtle 2004-09-22, 9:26 pm |
| When I try to request a certificate from the CA
authority
Web enrollment page(same server as iis is installed
member server to domain)I get this error:No certificate
templates could be found. You do not have permission to
request a certificate from this CA, or an error occurred
while accessing the Active Directory. I did some
research
and found and article 811418 that basically states that
the dnsHost attribute and sServerConfig need to be
exactly the same case match which they are. I also found
a article mentioning a permissions problem but that was
related to child domain. Any clues?
| |
| Miha Pihler 2004-09-22, 9:26 pm |
| Hi,
You setup Windows 2003 Enterprise CA server?
What permissions do you use to request the certificate (to access the web
enrolment page?)
Why don't you request the certificate directly from IIS (not using web
enrolment)? You can do this as long as IIS is member of domain and you have
Enterprise CA server setup...
Mike
"zturtle" <anonymous@discussions.microsoft.com> wrote in message
news:0b8101c4a0b7$cd845e40$a401280a@phx.gbl...
> When I try to request a certificate from the CA
> authority
>
> Web enrollment page(same server as iis is installed
>
> member server to domain)I get this error:No certificate
>
> templates could be found. You do not have permission to
>
> request a certificate from this CA, or an error occurred
>
> while accessing the Active Directory. I did some
> research
>
> and found and article 811418 that basically states that
>
> the dnsHost attribute and sServerConfig need to be
>
> exactly the same case match which they are. I also found
>
> a article mentioning a permissions problem but that was
>
> related to child domain. Any clues?
| |
|
| I setup Certificate CA and web enrollment thru the
windows comp. on windows 2003.
Where do I set the permissions to request a cert thru web
enrollment?
Ran the certificate wizard in iis to get the cert and it
seems to be functioning, when I request the site thru
http it states the page must be viewed over a secure
channel 403.4 forbidden ssl required. Though when I try
to use the https I just get a page cannot be found. The
page does function when I take ssl out of the picture.
Not sure where I am going wrong?
>-----Original Message-----
>Hi,
>
>You setup Windows 2003 Enterprise CA server?
>
>What permissions do you use to request the certificate
(to access the web
>enrolment page?)
>
>Why don't you request the certificate directly from IIS
(not using web
>enrolment)? You can do this as long as IIS is member of
domain and you have
>Enterprise CA server setup...
>
>Mike
>
>"zturtle" <anonymous@discussions.microsoft.com> wrote in
message
>news:0b8101c4a0b7$cd845e40$a401280a@phx.gbl...
occurred[vbcol=seagreen]
found[vbcol=seagreen]
>
>
>.
>
| |
| Miha Pihler 2004-09-22, 9:26 pm |
| Hi,
Make sure that SSL port (TCP port 443) is binded to IIS (is listed in your
website general property page). Try to access it locally (e.g.
https://localhost/folder/page.htm. If this doesn't help, run this tool on
your server. It should tell you if there are any configuration or
certificate problems that you need to resolve.
SSL Diagnostics Version 1.0 (x86)
http://www.microsoft.com/downloads/...&DisplayLang=en
Mike
<anonymous@discussions.microsoft.com> wrote in message
news:02c901c4a0d2$75248340$a301280a@phx.gbl...[vbcol=seagreen]
> I setup Certificate CA and web enrollment thru the
> windows comp. on windows 2003.
>
> Where do I set the permissions to request a cert thru web
> enrollment?
>
> Ran the certificate wizard in iis to get the cert and it
> seems to be functioning, when I request the site thru
> http it states the page must be viewed over a secure
> channel 403.4 forbidden ssl required. Though when I try
> to use the https I just get a page cannot be found. The
> page does function when I take ssl out of the picture.
>
> Not sure where I am going wrong?
> (to access the web
> (not using web
> domain and you have
> message
> occurred
> found
| |
|
| port 443 is binded I see it in the website general prop.
but when I run a netstat -a it is not listening. I
downloaded the ssldiag and ran it, I not sure I understand
it the only errors I see are when I run simulated
handshake and I get a unspecified error than error:
0x80090304(-2146893052).
>-----Original Message-----
>Hi,
>
>Make sure that SSL port (TCP port 443) is binded to IIS
(is listed in your
>website general property page). Try to access it locally
(e.g.
>https://localhost/folder/page.htm. If this doesn't help,
run this tool on
>your server. It should tell you if there are any
configuration or
>certificate problems that you need to resolve.
>
>SSL Diagnostics Version 1.0 (x86)
>http://www.microsoft.com/downloads/details.aspx?
FamilyID=cabea1d0-5a10-41bc-83d4-
06c814265282&DisplayLang=en
>
>Mike
>
><anonymous@discussions.microsoft.com> wrote in message
>news:02c901c4a0d2$75248340$a301280a@phx.gbl...
web[vbcol=seagreen]
in[vbcol=seagreen]
certificate[vbcol=seagreen]
to[vbcol=seagreen]
that[vbcol=seagreen]
was[vbcol=seagreen]
>
>
>.
>
| |
|
| oops I should have run a netstat -an which I just did and
it does look like 443 is listening on 0.0.0.0 which is
supposedly correct......
>-----Original Message-----
>port 443 is binded I see it in the website general prop.
>but when I run a netstat -a it is not listening. I
>downloaded the ssldiag and ran it, I not sure I
understand
>it the only errors I see are when I run simulated
>handshake and I get a unspecified error than error:
>0x80090304(-2146893052).
>(is listed in your
>(e.g.
>run this tool on
>configuration or
>FamilyID=cabea1d0-5a10-41bc-83d4-
>06c814265282&DisplayLang=en
>web
it[vbcol=seagreen]
IIS[vbcol=seagreen]
of[vbcol=seagreen]
>in
>certificate
permission[vbcol=seagreen]
>to
>that
>was
>.
>
| |
| Miha Pihler 2004-09-26, 5:54 pm |
| > Is there some configuration setting on server or browser
> so the computer will "trust" or download the certificate
> and establish the SSL connection?
Hi Andrew,
If you e.g. used your own CA server then take your CA server certificate and
install it on your client. This will make your client trust your CA server.
You can get your CA certificate like this. Open CA web interface (e.g.
http://localhost/certsrv and select "retrieve the CA certificate or
certificate revocation list" and click Next. Select Download CA certificate.
Save the *.cer file and transfer it to your client. Once it is on your
client double click on it and follow the wizard (default values should
work).
Mike
| |
| Andrew 2004-09-28, 9:13 pm |
| I'm installing the certificate to establish the SSL
connection for OWA. I can't "install it" on the client
browser - they could be anywhere. The problem is my
server is getting "fatal error creating SSL server
credential". I've tried everthing with no success. I'm
going to try uninstalling the antivirus software, reapply
the Service Packs and see if that corrects the error.
~Andrew
>-----Original Message-----
>
>Hi Andrew,
>
>If you e.g. used your own CA server then take your CA
server certificate and
>install it on your client. This will make your client
trust your CA server.
>
>You can get your CA certificate like this. Open CA web
interface (e.g.
>http://localhost/certsrv and select "retrieve the CA
certificate or
>certificate revocation list" and click Next. Select
Download CA certificate.
>Save the *.cer file and transfer it to your client. Once
it is on your
>client double click on it and follow the wizard (default
values should
>work).
>
>Mike
>
>
>
>.
>
| |
| Miha Pihler 2004-09-29, 3:09 am |
| Andrew,
I know you can't install this on all your computers (well you can if they
are in domain -- you can do it using group policy). The other option is to
instruct users where they can get CA certificate and how to install it. If
you don't client's will not trust your CA and your users will get this kind
of warning.
http://freeweb.siol.net/mpihler/certnottrusted.jpg
Still, I must admit that you probably have some other problem too. You can
at least try and install CA certificate on one client to test it out -- to
see if it helps.
Another option for your clients to trust your certificate would be to get
3rd party trusted certificate from CA agency. Prices are from about
150-300USD/year -- depending on agency that you choose...
Mike
"Andrew" <anonymous@discussions.microsoft.com> wrote in message
news:339401c4a5ca$3aacb370$a501280a@phx.gbl...[vbcol=seagreen]
> I'm installing the certificate to establish the SSL
> connection for OWA. I can't "install it" on the client
> browser - they could be anywhere. The problem is my
> server is getting "fatal error creating SSL server
> credential". I've tried everthing with no success. I'm
> going to try uninstalling the antivirus software, reapply
> the Service Packs and see if that corrects the error.
> ~Andrew
>
> server certificate and
> trust your CA server.
> interface (e.g.
> certificate or
> Download CA certificate.
> it is on your
> values should
| |
|
| I am having similar problem with SSL. When I try to connect it internally with https://localmachine/..., I am able to connect without any problems but when I connect from a different machine using https://www.., it first gives me a window for Security Alert. If I say Yes to proceed, it gives me a 404 - Page not found.
If I select to view the Certificate in Security Alert, it shows me an old Certificate. |
|
|
|