can"t install user certificcate from other ad domains
can"t install user certificcate from other ad domains
am 17.10.2007 16:43:45 von Fadoul
Hi
I have a certificate server running on a W2k3 SP2 server. this server is a
global catalog. All user certificates are processed correctly when accessed
by main root ad domain but when i tried to ask a user certificate from the
web interface (certsrv), users from the second domain on my AD forest cannot
authenticate, i have this in the iis log :
2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
DOMAIN2\TEST 172.16.102.130
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
401 3 0
and in the web page after 3 attemps i have a http 401.3 non authorised
error.
With the mmc certificate, the CA server is not found at all.
I tried to add manually rights for user of my domain2 on
c:\windows\system32\certsrv, user certificate template, i went in active
directory sites & services, show servicesl nodes, and i went in services,
public keys services, and browse all objetcs and modify the security to
include the group of my domain2 users. But it still doesn't work...
Can somebody help
Re: can"t install user certificcate from other ad domains
am 18.10.2007 02:53:18 von David Wang
On Oct 17, 7:43 am, "Fadoul" wrote:
> Hi
>
> I have a certificate server running on a W2k3 SP2 server. this server is=
a
> global catalog. All user certificates are processed correctly when access=
ed
> by main root ad domain but when i tried to ask a user certificate from the
> web interface (certsrv), users from the second domain on my AD forest can=
not
> authenticate, i have this in the iis log :
>
> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> DOMAIN2\TEST 172.16.102.130
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322=
;+=AD.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> 401 3 0
>
> and in the web page after 3 attemps i have a http 401.3 non authorised
> error.
>
> With the mmc certificate, the CA server is not found at all.
>
> I tried to add manually rights for user of my domain2 on
> c:\windows\system32\certsrv, user certificate template, i went in active
> directory sites & services, show servicesl nodes, and i went in services,
> public keys services, and browse all objetcs and modify the security to
> include the group of my domain2 users. But it still doesn't work...
>
> Can somebody help
It looks like the certsrv website content itself does not have NTFS
ACLs which give permissions to domain2. Is trust between these two
domains setup correctly? Are the domains in same or different AD
Forests?
The website content is not in AD, so I don't think you changed ACLs
for the right thing.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: can"t install user certificcate from other ad domains
am 18.10.2007 13:52:17 von Fadoul
thks for your reply David,
domains are in the same ad forest. i triple checked the ntfs acl of the
certsrv website, and i have added the domain2 group in wich all users of
domain2 are and i added manually too the domain2\usertest. i did it with
authorisation in the mmc console of iis admin and checked ntfs rights in the
c:\windows\system32\certsrv folder. it looks ok.
I modified the acl user template too by adding the same groupe in the
security panel, same result. I am just wondering if there is a link with the
fact i am using a windows 2003 standard and not enterprise, i know that CA
on standard is limited regarding CA on enterprise 2003 os, maybe there are
limitations regarding the access to a second domain because of that ?
Fadhel
"David Wang" a écrit dans le message de news:
1192668798.449972.291040@e34g2000pro.googlegroups.com...
On Oct 17, 7:43 am, "Fadoul" wrote:
> Hi
>
> I have a certificate server running on a W2k3 SP2 server. this server is
> a
> global catalog. All user certificates are processed correctly when
> accessed
> by main root ad domain but when i tried to ask a user certificate from the
> web interface (certsrv), users from the second domain on my AD forest
> cannot
> authenticate, i have this in the iis log :
>
> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> DOMAIN2\TEST 172.16.102.130
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> 401 3 0
>
> and in the web page after 3 attemps i have a http 401.3 non authorised
> error.
>
> With the mmc certificate, the CA server is not found at all.
>
> I tried to add manually rights for user of my domain2 on
> c:\windows\system32\certsrv, user certificate template, i went in active
> directory sites & services, show servicesl nodes, and i went in services,
> public keys services, and browse all objetcs and modify the security to
> include the group of my domain2 users. But it still doesn't work...
>
> Can somebody help
It looks like the certsrv website content itself does not have NTFS
ACLs which give permissions to domain2. Is trust between these two
domains setup correctly? Are the domains in same or different AD
Forests?
The website content is not in AD, so I don't think you changed ACLs
for the right thing.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: can"t install user certificcate from other ad domains
am 18.10.2007 18:11:21 von Ken Schaefer
Enterprise should only be needed if you need to edit Certificate Templates
(e.g. create your own cert templates)
At what point in the web enrolment process do you get the 401? When the user
first attempts to access the site? or when the user is attempting to
enrol/get their certificate?
Cheers
Ken
"Fadoul" wrote in message
news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> thks for your reply David,
>
> domains are in the same ad forest. i triple checked the ntfs acl of the
> certsrv website, and i have added the domain2 group in wich all users of
> domain2 are and i added manually too the domain2\usertest. i did it with
> authorisation in the mmc console of iis admin and checked ntfs rights in
> the c:\windows\system32\certsrv folder. it looks ok.
>
> I modified the acl user template too by adding the same groupe in the
> security panel, same result. I am just wondering if there is a link with
> the fact i am using a windows 2003 standard and not enterprise, i know
> that CA on standard is limited regarding CA on enterprise 2003 os, maybe
> there are limitations regarding the access to a second domain because of
> that ?
>
> Fadhel
> "David Wang" a écrit dans le message de news:
> 1192668798.449972.291040@e34g2000pro.googlegroups.com...
> On Oct 17, 7:43 am, "Fadoul" wrote:
>> Hi
>>
>> I have a certificate server running on a W2k3 SP2 server. this server is
>> a
>> global catalog. All user certificates are processed correctly when
>> accessed
>> by main root ad domain but when i tried to ask a user certificate from
>> the
>> web interface (certsrv), users from the second domain on my AD forest
>> cannot
>> authenticate, i have this in the iis log :
>>
>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
>> DOMAIN2\TEST 172.16.102.130
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
>> 401 3 0
>>
>> and in the web page after 3 attemps i have a http 401.3 non authorised
>> error.
>>
>> With the mmc certificate, the CA server is not found at all.
>>
>> I tried to add manually rights for user of my domain2 on
>> c:\windows\system32\certsrv, user certificate template, i went in active
>> directory sites & services, show servicesl nodes, and i went in services,
>> public keys services, and browse all objetcs and modify the security to
>> include the group of my domain2 users. But it still doesn't work...
>>
>> Can somebody help
>
>
> It looks like the certsrv website content itself does not have NTFS
> ACLs which give permissions to domain2. Is trust between these two
> domains setup correctly? Are the domains in same or different AD
> Forests?
>
> The website content is not in AD, so I don't think you changed ACLs
> for the right thing.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
Re: can"t install user certificcate from other ad domains
am 18.10.2007 18:22:16 von Fadoul
i cannot auth on the https://gc.domain.com/certsrv with domain2\user or
user@domain2.com, after 3 attemps i have the error 401.3 non authorised.
with domain\user no problem to access to auth to the web certsrv
application and to get any certificate configured
"Ken Schaefer" a écrit dans le message de
news: %23z1pdGaEIHA.4544@TK2MSFTNGP06.phx.gbl...
> Enterprise should only be needed if you need to edit Certificate Templates
> (e.g. create your own cert templates)
>
> At what point in the web enrolment process do you get the 401? When the
> user first attempts to access the site? or when the user is attempting to
> enrol/get their certificate?
>
> Cheers
> Ken
>
> "Fadoul" wrote in message
> news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
>> thks for your reply David,
>>
>> domains are in the same ad forest. i triple checked the ntfs acl of the
>> certsrv website, and i have added the domain2 group in wich all users of
>> domain2 are and i added manually too the domain2\usertest. i did it with
>> authorisation in the mmc console of iis admin and checked ntfs rights in
>> the c:\windows\system32\certsrv folder. it looks ok.
>>
>> I modified the acl user template too by adding the same groupe in the
>> security panel, same result. I am just wondering if there is a link with
>> the fact i am using a windows 2003 standard and not enterprise, i know
>> that CA on standard is limited regarding CA on enterprise 2003 os, maybe
>> there are limitations regarding the access to a second domain because of
>> that ?
>>
>> Fadhel
>> "David Wang" a écrit dans le message de news:
>> 1192668798.449972.291040@e34g2000pro.googlegroups.com...
>> On Oct 17, 7:43 am, "Fadoul" wrote:
>>> Hi
>>>
>>> I have a certificate server running on a W2k3 SP2 server. this server
>>> is a
>>> global catalog. All user certificates are processed correctly when
>>> accessed
>>> by main root ad domain but when i tried to ask a user certificate from
>>> the
>>> web interface (certsrv), users from the second domain on my AD forest
>>> cannot
>>> authenticate, i have this in the iis log :
>>>
>>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
>>> DOMAIN2\TEST 172.16.102.130
>>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
>>> 401 3 0
>>>
>>> and in the web page after 3 attemps i have a http 401.3 non authorised
>>> error.
>>>
>>> With the mmc certificate, the CA server is not found at all.
>>>
>>> I tried to add manually rights for user of my domain2 on
>>> c:\windows\system32\certsrv, user certificate template, i went in active
>>> directory sites & services, show servicesl nodes, and i went in
>>> services,
>>> public keys services, and browse all objetcs and modify the security to
>>> include the group of my domain2 users. But it still doesn't work...
>>>
>>> Can somebody help
>>
>>
>> It looks like the certsrv website content itself does not have NTFS
>> ACLs which give permissions to domain2. Is trust between these two
>> domains setup correctly? Are the domains in same or different AD
>> Forests?
>>
>> The website content is not in AD, so I don't think you changed ACLs
>> for the right thing.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>
Re: can"t install user certificcate from other ad domains
am 19.10.2007 01:53:43 von David Wang
Ok, with those errors, this doesn't look like IIS issue nor anything
to do with user certificates at all.
It looks like users in domain2 cannot even authenticate to domain.
You'll have to solve that at the AD level. IIS is not even running
Cert Server right now because the remote user never authenticated and
logged on for IIS to run Cert Server.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Oct 18, 9:22 am, "Fadoul" wrote:
> i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or
> u...@domain2.com, after 3 attemps i have the error 401.3 non authorised.
> with domain\user no problem to access to auth to the web certsrv
> application and to get any certificate configured
>
> "Ken Schaefer" a =E9crit dans le message=
denews: %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63j fAD$z_=
_@TK2MSFTNGP06.phx.gbl...
>
>
>
> > Enterprise should only be needed if you need to edit Certificate Templa=
tes
> > (e.g. create your own cert templates)
>
> > At what point in the web enrolment process do you get the 401? When the
> > user first attempts to access the site? or when the user is attempting =
to
> > enrol/get their certificate?
>
> > Cheers
> > Ken
>
> > "Fadoul" wrote in message
> >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> >> thks for your reply David,
>
> >> domains are in the same ad forest. i triple checked the ntfs acl of the
> >> certsrv website, and i have added the domain2 group in wich all users =
of
> >> domain2 are and i added manually too the domain2\usertest. i did it wi=
th
> >> authorisation in the mmc console of iis admin and checked ntfs rights =
in
> >> the c:\windows\system32\certsrv folder. it looks ok.
>
> >> I modified the acl user template too by adding the same groupe in the
> >> security panel, same result. I am just wondering if there is a link wi=
th
> >> the fact i am using a windows 2003 standard and not enterprise, i know
> >> that CA on standard is limited regarding CA on enterprise 2003 os, may=
be
> >> there are limitations regarding the access to a second domain because =
of
> >> that ?
>
> >> Fadhel
> >> "David Wang" a =E9crit dans le message de news:
> >> 1192668798.449972.291...@e34g2000pro.googlegroups.com...
> >> On Oct 17, 7:43 am, "Fadoul" wrote:
> >>> Hi
>
> >>> I have a certificate server running on a W2k3 SP2 server. this server
> >>> is a
> >>> global catalog. All user certificates are processed correctly when
> >>> accessed
> >>> by main root ad domain but when i tried to ask a user certificate from
> >>> the
> >>> web interface (certsrv), users from the second domain on my AD forest
> >>> cannot
> >>> authenticate, i have this in the iis log :
>
> >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> >>> DOMAIN2\TEST 172.16.102.130
> >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.=
4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> >>> 401 3 0
>
> >>> and in the web page after 3 attemps i have a http 401.3 non authorised
> >>> error.
>
> >>> With the mmc certificate, the CA server is not found at all.
>
> >>> I tried to add manually rights for user of my domain2 on
> >>> c:\windows\system32\certsrv, user certificate template, i went in act=
ive
> >>> directory sites & services, show servicesl nodes, and i went in
> >>> services,
> >>> public keys services, and browse all objetcs and modify the security =
to
> >>> include the group of my domain2 users. But it still doesn't work...
>
> >>> Can somebody help
>
> >> It looks like the certsrv website content itself does not have NTFS
> >> ACLs which give permissions to domain2. Is trust between these two
> >> domains setup correctly? Are the domains in same or different AD
> >> Forests?
>
> >> The website content is not in AD, so I don't think you changed ACLs
> >> for the right thing.
>
> >> //David
> >>http://w3-4u.blogspot.com
> >>http://blogs.msdn.com/David.Wang
> >> //- Hide quoted text -
>
> - Show quoted text -
Re: can"t install user certificcate from other ad domains
am 19.10.2007 09:41:50 von Fadoul
This is what i thought too, because in the iis log i don't see any error. I
checked logs in windows event viewer on cg.domain1.com too, and i saw
nothing, i have to check what audit configuration i have to modify to have
more infos.
regarding the auth in ad, domain2 is in the main root forest and users from
domain2 can access to shares on domain1 without any problem so i don't know
where to check ?
"David Wang" a écrit dans le message de news:
1192751623.662142.207390@z24g2000prh.googlegroups.com...
Ok, with those errors, this doesn't look like IIS issue nor anything
to do with user certificates at all.
It looks like users in domain2 cannot even authenticate to domain.
You'll have to solve that at the AD level. IIS is not even running
Cert Server right now because the remote user never authenticated and
logged on for IIS to run Cert Server.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Oct 18, 9:22 am, "Fadoul" wrote:
> i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or
> u...@domain2.com, after 3 attemps i have the error 401.3 non authorised.
> with domain\user no problem to access to auth to the web certsrv
> application and to get any certificate configured
>
> "Ken Schaefer" a écrit dans le message
> denews:
> %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63j fAD$z__@TK2MSFTNGP06.phx.gbl...
>
>
>
> > Enterprise should only be needed if you need to edit Certificate
> > Templates
> > (e.g. create your own cert templates)
>
> > At what point in the web enrolment process do you get the 401? When the
> > user first attempts to access the site? or when the user is attempting
> > to
> > enrol/get their certificate?
>
> > Cheers
> > Ken
>
> > "Fadoul" wrote in message
> >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> >> thks for your reply David,
>
> >> domains are in the same ad forest. i triple checked the ntfs acl of the
> >> certsrv website, and i have added the domain2 group in wich all users
> >> of
> >> domain2 are and i added manually too the domain2\usertest. i did it
> >> with
> >> authorisation in the mmc console of iis admin and checked ntfs rights
> >> in
> >> the c:\windows\system32\certsrv folder. it looks ok.
>
> >> I modified the acl user template too by adding the same groupe in the
> >> security panel, same result. I am just wondering if there is a link
> >> with
> >> the fact i am using a windows 2003 standard and not enterprise, i know
> >> that CA on standard is limited regarding CA on enterprise 2003 os,
> >> maybe
> >> there are limitations regarding the access to a second domain because
> >> of
> >> that ?
>
> >> Fadhel
> >> "David Wang" a écrit dans le message de news:
> >> 1192668798.449972.291...@e34g2000pro.googlegroups.com...
> >> On Oct 17, 7:43 am, "Fadoul" wrote:
> >>> Hi
>
> >>> I have a certificate server running on a W2k3 SP2 server. this server
> >>> is a
> >>> global catalog. All user certificates are processed correctly when
> >>> accessed
> >>> by main root ad domain but when i tried to ask a user certificate from
> >>> the
> >>> web interface (certsrv), users from the second domain on my AD forest
> >>> cannot
> >>> authenticate, i have this in the iis log :
>
> >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> >>> DOMAIN2\TEST 172.16.102.130
> >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> >>> 401 3 0
>
> >>> and in the web page after 3 attemps i have a http 401.3 non authorised
> >>> error.
>
> >>> With the mmc certificate, the CA server is not found at all.
>
> >>> I tried to add manually rights for user of my domain2 on
> >>> c:\windows\system32\certsrv, user certificate template, i went in
> >>> active
> >>> directory sites & services, show servicesl nodes, and i went in
> >>> services,
> >>> public keys services, and browse all objetcs and modify the security
> >>> to
> >>> include the group of my domain2 users. But it still doesn't work...
>
> >>> Can somebody help
>
> >> It looks like the certsrv website content itself does not have NTFS
> >> ACLs which give permissions to domain2. Is trust between these two
> >> domains setup correctly? Are the domains in same or different AD
> >> Forests?
>
> >> The website content is not in AD, so I don't think you changed ACLs
> >> for the right thing.
>
> >> //David
> >>http://w3-4u.blogspot.com
> >>http://blogs.msdn.com/David.Wang
> >> //- Hide quoted text -
>
> - Show quoted text -