|
Posted by Kristin Griffin on January 15, 2008, 11:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I really appreciate the help!
Kristin
>I have not worked through Roland's step-by-step, but some answers inline...
>
>> Hi there.
>> I am new to PKI, and am testing Windows 2008 AD CS in my lab, and have a
>> few
>> issues. I am hoping you all can help me out.
>>
>> I have followed the Windows Server 20008 AD CS Step By Step Guide by
>> Roland
>> Winkler.
>>
>> My setup is this: LH_DC1 (win2k8 RC0 DC), LH_PKI1 (cert server running
>> Win2k8 RC0), LH_CLI1 (vista client), al in the contoso domain.
>>
>> I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test
>> purposes.
>>
>> I am using Virtual PC and 2 physical machines to do this.
>>
>> Here are my problems:
>>
>> 1. Auto Enrollment is not working for computers, however, I can manually
>> request a certificate and get one successfully. I just don't get one
>> (computer cert or user cert) automatically when I join the domain or log
>> on.
>> I get no errors in the event logs. Any tips there?
>
> Did you create and link GPOs that enable autoenrollment for the
> user/computer at either the domain or at the OU that contains the
> user/computer account. There are separate GPOs for both user and computer
> autoenrollment that must be enabled to actually implement autoenrollment.
> In addition, did you define v2 or v3 certificate templates that assign the
> user/computer/group Read, Enroll, and Autoenroll permissions.
>>
>> 2. I setup OCSP per the instructions, but the website does not respond -
>> get 500 internal server error. What am I missing here? I checked the
>> ocsp
>> dir at: c:\windows\SystemData\ocsp and it is empty.
>>
> Not sure. There is definitely a configuration error, as I have it working.
> Look at the OCSP whitepaper itself. I followed the implementation steps in
> this doc
>
>> 3. I log in as PKIUSER1 on the vista client (user is a local admin and
>> a
>> domain user) and type certutil -pulse. I get FAILED, 0x80070005
>> (win32:5)
>> Access Denied. What permissions do I need to run this command and other
>> certutil commands? some work but most are denied to me.
>>
>
> Many of these commands require local Administrator to execute.
>
>> 4. I have web enrollment installed on LH_PKI1 server (my root CA), and
>> set
>> the website up for https, but when I try to request a certificate, the
>> response is that no certificates were found, I don't have permission to
>> request a certificate from this CA or an error occurred while accessing
>> active directory - AD seems fine....any ideas there?
>>
>
> Who are you logging in as. Does the user have Read and Enroll permissions
> on the Web Server certificate template.
> Is the Web Server certificate template available for enrollment at the CA?
>
>> 5. How can I see the certificates I have issued in AD?
>
> Certificates are only published to AD if the certificate template enables
> the option. If so, then you must enable Advanced Features in AD U&C and
> then view the Published Certificates tab of the user. The certificates are
> stored in the userCertificate attribute of the user account. The better
> place to view all certificates that you have issued is the Certification
> Authority console.
>
>>
>> Many thanks,
>>
>> Kristin
>
| 
XML site map