IAS, PKI, Certificate Services

Discussion in 'Active Directory' started by Jon, Dec 17, 2003.

  1. Jon

    Jon Guest

    Hi.

    I´m having trouble with the implementation of a PKI
    soloution for WLAN access.

    I have a Windows server 2003 forest (domain/forest
    functional level: Windows Server 2003) with 2 domains:
    irc.local (Forest root)
    edu.irc.local

    I have intstalled and configured the Root CA (on a member
    server in the edu-domain) and the Issuing CA (on a DC in
    the edu-domain).

    When trying to verify Certificate enrollment on clients
    it doesn´t work on clients (computers) in the edu domain.
    On clients (computers) with membership in the irc domain
    there´s no problem.

    This is how I try to verify:
    1. Log on to a computer in the same domain as the issuing
    CA. Use a domain
    account.
    2. Open the Certificates MMC for the current user (you
    will need to add this to a blank
    MMC using Add/Remove Snap in).
    3. Right – click the personal folder and select Request a
    New Certificate from the All
    Tasks sub-menu.
    4. You should be prompted with a list of certificate
    types to chose from — chose the
    User type. Do not select the Advanced options check box.
    5. Give the certificate a recognizable friendly name,
    such as Issuing CA Verification
    6. Click Finish to enroll the certificate.

    When performing #3 i get an error saying that it can´t
    find any Certificate issuer.

    Clients in the edu domain are not on the same subnet as
    the DC´s in the root domain. Only the DC´s (not clients)
    in the edu domain can communicate with the DC´s in the
    root domain. Both DC´s in the edu domain are GC´s.

    I think this is a DNS-problem. Where in the DNS
    configuration do I control whitch DC clients (in the edu
    domain) should ask for Certificates?

    /Jon
     
    Jon, Dec 17, 2003
    #1
    1. Advertisements

  2. Hello Jon,

    Thank you for your post.

    Is the error message "Windows Cannot find a certification authority that
    will process the request"?

    Since the problem do not occur with irc domain, I suggest that we check the
    domain to ensure that the Domain Users group on the edu domain (child
    domain) has the right to enroll a user template. The following are the
    steps:

    1. From a domain controller in the edu domain, log on to the parent domain
    with a user account that has membership in the Enterprise Admins group.

    2. Click Start, click Programs, click Administrative Tools, and then click
    the "Active Directory Sites and Services" snap-in.

    3. In MMC, right-click the "Active Directory Sites and Services" snap-in,
    click View, and then click "Show Services Mode". This allows you to view
    the Services folder, which is hidden from view by default.

    4. From the "Active Directory Sites and Services" snap-in, click Services,
    click Public Key Services, and then click Certificate Templates. This
    reveals the complete list of published certificate templates in Active
    Directory.

    5. Double-click the User certificate template to view the properties.

    6. On the Security tab, click Add to add the Domain Users group of the
    child domain to the list.

    7. For the Domain Users (<CHILDDOMAINNAME>\Domain Users) group, select the
    Read and Enroll rights.

    8. Restart the computer.

    Please check if this takes care of the problem.

    Thanks!

    Regards,
    Joe Wu
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    |Content-Class: urn:content-classes:message
    |From: "Jon" <>
    |Sender: "Jon" <>
    |Subject: IAS, PKI, Certificate Services
    |Date: Wed, 17 Dec 2003 00:15:45 -0800
    |Lines: 49
    |Message-ID: <018201c3c475$f862fb40$>
    |MIME-Version: 1.0
    |Content-Type: text/plain;
    | charset="iso-8859-1"
    |Content-Transfer-Encoding: quoted-printable
    |X-Newsreader: Microsoft CDO for Windows 2000
    |X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    |Thread-Index: AcPEdfhi4B1CDaVhReyG6V0aE1f64Q==
    |Newsgroups: microsoft.public.windows.server.active_directory
    |Path: cpmsftngxa07.phx.gbl
    |Xref: cpmsftngxa07.phx.gbl
    microsoft.public.windows.server.active_directory:7670
    |NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
    |X-Tomcat-NG: microsoft.public.windows.server.active_directory
    |
    |Hi.
    |I´m having trouble with the implementation of a PKI
    |soloution for WLAN access.
    |I have a Windows server 2003 forest (domain/forest
    |functional level: Windows Server 2003) with 2 domains:
    |irc.local (Forest root)
    |edu.irc.local
    |I have intstalled and configured the Root CA (on a member
    |server in the edu-domain) and the Issuing CA (on a DC in
    |the edu-domain).
    |When trying to verify Certificate enrollment on clients
    |it doesn´t work on clients (computers) in the edu domain.
    |On clients (computers) with membership in the irc domain
    |there´s no problem.
    |This is how I try to verify:
    |1. Log on to a computer in the same domain as the issuing
    |CA. Use a domain
    |account.
    |2. Open the Certificates MMC for the current user (you
    |will need to add this to a blank
    |MMC using Add/Remove Snap in).
    |3. Right – click the personal folder and select Request a
    |New Certificate from the All
    |Tasks sub-menu.
    |4. You should be prompted with a list of certificate
    |types to chose from — chose the
    |User type. Do not select the Advanced options check box.
    |5. Give the certificate a recognizable friendly name,
    |such as Issuing CA Verification
    |6. Click Finish to enroll the certificate.
    |When performing #3 i get an error saying that it can´t
    |find any Certificate issuer.
    |Clients in the edu domain are not on the same subnet as
    |the DC´s in the root domain. Only the DC´s (not clients)
    |in the edu domain can communicate with the DC´s in the
    |root domain. Both DC´s in the edu domain are GC´s.
    |I think this is a DNS-problem. Where in the DNS
    |configuration do I control whitch DC clients (in the edu
    |domain) should ask for Certificates?
    |/Jon
    |
     
    Joe Wu [MSFT], Dec 18, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.