PKI - AD CS - 2008 - Test Lab setup having issues:

  • Thread starter Thread starter Kristin L. Griffin
  • Start date Start date
K

Kristin L. Griffin

Hi there.
I am new to PKI, and am testing Windows 2008 AD CS in my lab, and have a few
issues. I am hoping you all can help me out.

I have followed the Windows Server 20008 AD CS Step By Step Guide by Roland
Winkler.

My setup is this: LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.

I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test purposes.

I am using Virtual PC and 2 physical machines to do this.

Here are my problems:

1. Auto Enrollment is not working for computers, however, I can manually
request a certificate and get one successfully. I just don't get one
(computer cert or user cert) automatically when I join the domain or log on.
I get no errors in the event logs. Any tips there?

2. I setup OCSP per the instructions, but the website does not respond -
get 500 internal server error. What am I missing here? I checked the ocsp
dir at: c:\windows\SystemData\ocsp and it is empty.

3. I log in as PKIUSER1 on the vista client (user is a local admin and a
domain user) and type certutil -pulse. I get FAILED, 0x80070005 (win32:5)
Access Denied. What permissions do I need to run this command and other
certutil commands? some work but most are denied to me.

4. I have web enrollment installed on LH_PKI1 server (my root CA), and set
the website up for https, but when I try to request a certificate, the
response is that no certificates were found, I don't have permission to
request a certificate from this CA or an error occurred while accessing
active directory - AD seems fine....any ideas there?

5. How can I see the certificates I have issued in AD?

Many thanks,

Kristin
 
I have not worked through Roland's step-by-step, but some answers inline...

"Kristin L. Griffin" <Kristin L. Griffin@discussions.microsoft.com> wrote in
message news:76C5C876-C861-4F5A-9E57-A4B61DFB2077@microsoft.com...
> Hi there.
> I am new to PKI, and am testing Windows 2008 AD CS in my lab, and have a
> few
> issues. I am hoping you all can help me out.
>
> I have followed the Windows Server 20008 AD CS Step By Step Guide by
> Roland
> Winkler.
>
> My setup is this: LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
> Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.
>
> I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test
> purposes.
>
> I am using Virtual PC and 2 physical machines to do this.
>
> Here are my problems:
>
> 1. Auto Enrollment is not working for computers, however, I can manually
> request a certificate and get one successfully. I just don't get one
> (computer cert or user cert) automatically when I join the domain or log
> on.
> I get no errors in the event logs. Any tips there?

Did you create and link GPOs that enable autoenrollment for the
user/computer at either the domain or at the OU that contains the
user/computer account. There are separate GPOs for both user and computer
autoenrollment that must be enabled to actually implement autoenrollment. In
addition, did you define v2 or v3 certificate templates that assign the
user/computer/group Read, Enroll, and Autoenroll permissions.
>
> 2. I setup OCSP per the instructions, but the website does not respond -
> get 500 internal server error. What am I missing here? I checked the
> ocsp
> dir at: c:\windows\SystemData\ocsp and it is empty.
>
Not sure. There is definitely a configuration error, as I have it working.
Look at the OCSP whitepaper itself. I followed the implementation steps in
this doc

> 3. I log in as PKIUSER1 on the vista client (user is a local admin and a
> domain user) and type certutil -pulse. I get FAILED, 0x80070005 (win32:5)
> Access Denied. What permissions do I need to run this command and other
> certutil commands? some work but most are denied to me.
>

Many of these commands require local Administrator to execute.

> 4. I have web enrollment installed on LH_PKI1 server (my root CA), and
> set
> the website up for https, but when I try to request a certificate, the
> response is that no certificates were found, I don't have permission to
> request a certificate from this CA or an error occurred while accessing
> active directory - AD seems fine....any ideas there?
>

Who are you logging in as. Does the user have Read and Enroll permissions on
the Web Server certificate template.
Is the Web Server certificate template available for enrollment at the CA?

> 5. How can I see the certificates I have issued in AD?

Certificates are only published to AD if the certificate template enables
the option. If so, then you must enable Advanced Features in AD U&C and then
view the Published Certificates tab of the user. The certificates are stored
in the userCertificate attribute of the user account. The better place to
view all certificates that you have issued is the Certification Authority
console.

>
> Many thanks,
>
> Kristin
 
Thanks Brian for your responses.

I really appreciate the help!

Kristin

"Brian Komar" <brian.komar@nospam.identit.ca> wrote in message
news:910A5622-EB85-461B-AA9C-823684E6999F@microsoft.com...
>I have not worked through Roland's step-by-step, but some answers inline...
>
> "Kristin L. Griffin" <Kristin L. Griffin@discussions.microsoft.com> wrote
> in message news:76C5C876-C861-4F5A-9E57-A4B61DFB2077@microsoft.com...
>> Hi there.
>> I am new to PKI, and am testing Windows 2008 AD CS in my lab, and have a
>> few
>> issues. I am hoping you all can help me out.
>>
>> I have followed the Windows Server 20008 AD CS Step By Step Guide by
>> Roland
>> Winkler.
>>
>> My setup is this: LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
>> Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.
>>
>> I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test
>> purposes.
>>
>> I am using Virtual PC and 2 physical machines to do this.
>>
>> Here are my problems:
>>
>> 1. Auto Enrollment is not working for computers, however, I can manually
>> request a certificate and get one successfully. I just don't get one
>> (computer cert or user cert) automatically when I join the domain or log
>> on.
>> I get no errors in the event logs. Any tips there?
>
> Did you create and link GPOs that enable autoenrollment for the
> user/computer at either the domain or at the OU that contains the
> user/computer account. There are separate GPOs for both user and computer
> autoenrollment that must be enabled to actually implement autoenrollment.
> In addition, did you define v2 or v3 certificate templates that assign the
> user/computer/group Read, Enroll, and Autoenroll permissions.
>>
>> 2. I setup OCSP per the instructions, but the website does not respond -
>> get 500 internal server error. What am I missing here? I checked the
>> ocsp
>> dir at: c:\windows\SystemData\ocsp and it is empty.
>>
> Not sure. There is definitely a configuration error, as I have it working.
> Look at the OCSP whitepaper itself. I followed the implementation steps in
> this doc
>
>> 3. I log in as PKIUSER1 on the vista client (user is a local admin and
>> a
>> domain user) and type certutil -pulse. I get FAILED, 0x80070005
>> (win32:5)
>> Access Denied. What permissions do I need to run this command and other
>> certutil commands? some work but most are denied to me.
>>
>
> Many of these commands require local Administrator to execute.
>
>> 4. I have web enrollment installed on LH_PKI1 server (my root CA), and
>> set
>> the website up for https, but when I try to request a certificate, the
>> response is that no certificates were found, I don't have permission to
>> request a certificate from this CA or an error occurred while accessing
>> active directory - AD seems fine....any ideas there?
>>
>
> Who are you logging in as. Does the user have Read and Enroll permissions
> on the Web Server certificate template.
> Is the Web Server certificate template available for enrollment at the CA?
>
>> 5. How can I see the certificates I have issued in AD?
>
> Certificates are only published to AD if the certificate template enables
> the option. If so, then you must enable Advanced Features in AD U&C and
> then view the Published Certificates tab of the user. The certificates are
> stored in the userCertificate attribute of the user account. The better
> place to view all certificates that you have issued is the Certification
> Authority console.
>
>>
>> Many thanks,
>>
>> Kristin
>
 
On Jan 10, 12:47 pm, Kristin L. Griffin <Kristin L.
Grif...@discussions.microsoft.com> wrote:
> Hi there.  
> I am new toPKI, and am testingWindows2008AD CS in my lab, and have a few
> issues.    I am hoping you all can help me out.
>
> I have followed theWindowsServer 20008 AD CS Step By Step Guide by Roland
> Winkler.
>
> My setup is this:  LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
> Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.
>
> I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test purposes.
>
> I am using Virtual PC and 2 physical machines to do this.
>
> Here are my problems:
>
> 1. Auto Enrollment is not working for computers, however, I can manually
> request a certificate and get one successfully.  I just don't get one
> (computer cert or user cert) automatically when I join the domain or log on.  
> I get no errors in the event logs.  Any tips there?
>
> 2.  I setup OCSP per the instructions, but the website does not respond -
> get 500 internal server error.  What am I missing here?   I checked the ocsp
> dir at: c:\windows\SystemData\ocsp and it is empty.
>
> 3.  I log in as PKIUSER1 on the vista client (user  is a local admin and a
> domain user) and type certutil -pulse.  I get FAILED, 0x80070005 (win32:5)
> Access Denied.  What permissions do I need to run this command and other
> certutil commands?  some work but most are denied to me.
>
> 4.  I have web enrollment installed on LH_PKI1 server (my root CA), and set
> the website up for https, but when I try to request a certificate, the
> response is that no certificates were found, I don't have permission to
> request a certificate from this CA or an error occurred while accessing
> active directory - AD seems fine....any ideas there?
>
> 5.  How can I see the certificates I have issued in AD?
>
> Many thanks,
>
> Kristin

Hi, can you point me this guide you mention: Windows Server 20008 AD
CS Step By Step Guide by Roland Winkler.
 
http://www.microsoft.com/downloads/...0C-FA3E-4F6A-97F5-ACAF31DE6DCE&displaylang=en

"Fed" <fed.gallardo@gmail.com> wrote in message
news:eaf57269-f7ba-4dac-8b30-9f51deaf81f6@d21g2000prf.googlegroups.com...
On Jan 10, 12:47 pm, Kristin L. Griffin <Kristin L.
Grif...@discussions.microsoft.com> wrote:
> Hi there.
> I am new toPKI, and am testingWindows2008AD CS in my lab, and have a few
> issues. I am hoping you all can help me out.
>
> I have followed theWindowsServer 20008 AD CS Step By Step Guide by Roland
> Winkler.
>
> My setup is this: LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
> Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.
>
> I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test
> purposes.
>
> I am using Virtual PC and 2 physical machines to do this.
>
> Here are my problems:
>
> 1. Auto Enrollment is not working for computers, however, I can manually
> request a certificate and get one successfully. I just don't get one
> (computer cert or user cert) automatically when I join the domain or log
> on.
> I get no errors in the event logs. Any tips there?
>
> 2. I setup OCSP per the instructions, but the website does not respond -
> get 500 internal server error. What am I missing here? I checked the ocsp
> dir at: c:\windows\SystemData\ocsp and it is empty.
>
> 3. I log in as PKIUSER1 on the vista client (user is a local admin and a
> domain user) and type certutil -pulse. I get FAILED, 0x80070005 (win32:5)
> Access Denied. What permissions do I need to run this command and other
> certutil commands? some work but most are denied to me.
>
> 4. I have web enrollment installed on LH_PKI1 server (my root CA), and set
> the website up for https, but when I try to request a certificate, the
> response is that no certificates were found, I don't have permission to
> request a certificate from this CA or an error occurred while accessing
> active directory - AD seems fine....any ideas there?
>
> 5. How can I see the certificates I have issued in AD?
>
> Many thanks,
>
> Kristin

Hi, can you point me this guide you mention: Windows Server 20008 AD
CS Step By Step Guide by Roland Winkler.
 
Back
Top