Certificate request failed. Keyset does not exist

Discussion in 'Windows Small Business Server' started by John Lenz, Feb 28, 2007.

  1. John Lenz

    John Lenz Guest

    I am trying to request a certificate for secure VPN access per page 378 in
    Windows SBS 2003 administrator's companion.

    I have restored the trust relationship between WinXP client and SBS server.

    I get through the wizard per the book and get the following error panel

    The certificate request failed. Keyset does not exist.

    The local computer certificate exists and the are no error logs on the
    server for certificate server.

    How can I get through this hurdle?

    Thanks
     
    John Lenz, Feb 28, 2007
    #1
    1. Advertisements

  2. Hi John,

    Thanks for posting here.

    From the description, I understand the issue is that the certificate
    request failed on your

    winxp client. If I am off base, please don't hesitate to let me know.

    Please verify that the Certification Authority is started and that you have
    sufficient

    permissions to request a certificate.

    You receive a "Failed to generate the certificate request" error message
    when you try create

    a certificate request in IIS

    http://support.microsoft.com/kb/908572/en-us


    more information:

    Error message when a client computer requests a certificate from a computer
    that is running

    Windows Server 2003 with Service Pack 1: "The wizard cannot be started
    because of one or

    more of the following conditions"

    http://support.microsoft.com/kb/927066/en-us

    Error message when you request a certificate from a computer that is
    running Windows Server

    2003 with Service Pack 1: "The certificate request failed because of one of
    the following

    conditions…"

    http://support.microsoft.com/kb/929494/en-us

    Description of the changes to DCOM security settings after you install
    Windows Server 2003

    Service Pack 1

    http://support.microsoft.com/kb/903220/en-us

    Request a computer certificate for server authentication

    http://technet2.microsoft.com/WindowsServer/en/library/f9871e14-e923-47d3-a7
    ff-

    0c1a6cfc1f4d1033.mspx?mfr=true


    Please check the error information about certsvc in application log both on
    client and

    server.

    I appreciate your time. I am happy to be of assistance and look forward to
    your reply.

    Have a nice day!

    Best regards,

    Jacky Luo (MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ====================================================
    PLEASE NOTE: The partner managed newsgroups are provided to
    assist with break/fix issues and simple how to questions.
    We also love to hear your product feedback! Let us know what you think by
    posting

    from the web interface: Partner Feedback
    from your newsreader: microsoft.private.directaccess.partnerfeedback.

    We look forward to hearing from you!
    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ====================================================
     
    Jacky Luo [MSFT], Mar 1, 2007
    #2
    1. Advertisements

  3. John Lenz

    John Lenz Guest

    Jacky,

    This is a weird one.

    my configuration history:

    Original Win2K3 SP1 server domain called SOHO
    Replaced with Win2K3 SBS on same server PC (clean install) with domain
    longsoho

    I did not remove my 5 winXP PC's from old domain prior to install of SBS

    Configured SBS per instructions in MS Windows SBS 2003 R2 administrator's
    companion

    Error logs showed a winXP client joining longsoho did not have proper SID
    and need to re-establish trust.

    I am trying to setup certificate based VPN validation. I install IAS and CA
    on server. Created the domain controller certificate "LongSOHO Root CA" on
    the server. My first attempt to create the certificates on the win XP failed
    due to permission errors when domain was re-configured. This is when I found
    the "trust" issue. I rebuilt the machine name & account and now am at this
    level of problem on my main laptop that I wish to make VPN capable.

    I open MMC certificate for local machine & current user.

    I request a certificate for the local machine - computer. The wizard opens
    and I fill-in per the manual. When I submit I get this error:

    The certificate request failed. Keyset does not exist

    I can successfully add certificates to current user for Basic EFS and User
    by the same method. Only the local computer certificate fails.

    On the server CA, it shows issuing a certificate for the WinXP machine. No
    certificate shows on the WinXP Local Computer personal certificates folder.
    NO errors on server logs for CA.

    How do I achieve the creation of a local computer certificate?

    Thanks






     
    John Lenz, Mar 1, 2007
    #3
  4. Hi John,

    Thanks for posting back.

    I am performing research on this issue, I will keep you informed if I have
    any update,thanks for your patience and understanding.


    Jacky Luo (MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ====================================================
    PLEASE NOTE: The partner managed newsgroups are provided to
    assist with break/fix issues and simple how to questions.
    We also love to hear your product feedback! Let us know what you think by
    posting

    from the web interface: Partner Feedback
    from your newsreader: microsoft.private.directaccess.partnerfeedback.

    We look forward to hearing from you!
    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ====================================================
     
    Jacky Luo [MSFT], Mar 2, 2007
    #4
  5. Hi John,

    Thanks for posting back.I am sorry for delayed response,I have performed
    more research,your understanding will be greatly appreciated.


    I.Let us refer to the following steps to troubleshoot the issue:

    1.On the SBS server, Added the “Domain Controllers" group to the
    CERTSVC_DCOM_ACCESS group, granting the DC's access the RPC connection.

    2.on the SBS server, please remove computer from network by server
    management client computers firstly.then disjoin the domain and join the
    domain through add client computer wizard.

    3.request certificate again to see if it helps.

    II.If the issue persists, please help me collect the following information
    for analysis:

    1.Does this occur on one client or all clients? so we can narrow down if
    this is client side or server side issue.

    2.Please capture the screenshot of the exact error message,save as jpg and
    send to me at

    3.please collect setup MPS report.

    a. Please download the MPSRPT_SETUPPerf.EXE from the following link and
    then run this tool on server to gather some information from the
    problematic computer:
    http://www.microsoft.com/downloads/details.aspx?familyid=cebf3c7c-7ca5-408f-
    88b7-f9c79b7306c0&displaylang=en

    b. Double-click on the MPSRPT_SETUPPerf.EXE file.
    [Note] This process may take some time; however, it will not have a
    negative effect on the performance.

    c. A CAB file will be generated in the
    %systemroot%\MPSReports\Setup\Reports\Cab directory called
    %COMPUTERNAME%_MPSReports.CAB. The CAB file will contain the reports
    generated by the MPS Reporting Tool.

    d. Please send the result file(CAB file)to me at , and
    I can do more research for your issue.


    Please compress all file and send to me at .

    I appreciate your time. I am happy to be of assistance and look forward to
    your reply.


    Have a nice day!

    Best regards,

    Jacky Luo (MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ====================================================
    PLEASE NOTE: The partner managed newsgroups are provided to
    assist with break/fix issues and simple how to questions.
    We also love to hear your product feedback! Let us know what you think by
    posting

    from the web interface: Partner Feedback
    from your newsreader: microsoft.private.directaccess.partnerfeedback.

    We look forward to hearing from you!
    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ====================================================
     
    Jacky Luo [MSFT], Mar 16, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.