Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Web Certificate Enrollment security problem

2,728 views
Skip to first unread message

Franz Schenk

unread,
Mar 15, 2006, 2:57:49 AM3/15/06
to
Have a problem that many others have, but haven't found any solution in KB
or another NG Post. There are hints that something has to be ajusted with
dcomcfg, but not any hint what has to be changed.

- Have an enterprise CA on a Windows 2003 SP1 enterprise edition member
server
- Have the Certificate Web Enrollment Website installed on another Windows
2003 SP1 member server
- Have enabled "trust this computer for delegation" on the computer with the
Certificate Enrollment Website according KB 239452
- Rebooted both member servers
- Have tried with either Windows and Basic authentication

When requesting a certificate, after the Website shortly displays
"processing request", the following error appears:

Error


Your request failed. An error occurred while the server was processing your
request.

Contact your administrator for further assistance.

Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
Access is denied. 0x80070005 (WIN32: 5)
COM Error Info:
CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
The Certification Authority Service has not been started.

Thank you all in advance for any suggestions.
Franz


S. Pidgorny <MVP>

unread,
Mar 15, 2006, 3:34:49 AM3/15/06
to
Hi Franz,

Searching KB for "0x80070005" gives whole heap of problems and solutions -
not exactly like yours but very similar.
I assume that certificate services are running. The problem is most likely
with delegation - check security logs on the IIS and CA to find out how the
account is impersonated, and if the CA client has permissions to the
certificate template. There must be info in the event log on the CA about
the rejected enroillment as well.

Found the best KB for your situation -
http://support.microsoft.com/kb/239452

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
news:uY5tmYAS...@TK2MSFTNGP11.phx.gbl...

Franz Schenk

unread,
Mar 15, 2006, 6:27:58 AM3/15/06
to
Thank you for the ideas, but still have the same problem.

Have already trusted the computer for delegation according KB 300867 (this
article describes exactly the same error message we have). Also run the
command described in KB 903220, verified that "Everyone" is in the
CERTSVC_DCOM_ACCESS security group of the server with the CA (have added
also the domain controllers security group in addition to everyone).
Verified the security template permissions, but they are all ok (read,
enroll, automatic enroll for authenticated users). Certificate requests with
the MMC Snap-In are working fine. Can even successfully distribute Machine
and User certificates over AD GPO.
The only thing that doesn't work is Web enrollment. Have enabled object
access auditing and logging "issue and manage certificate requests" on the
CA. Even then, there is no failure log entry when trying to request a
certificate over the web enrollment page.

Have seen that there is a component "Certsrv Request" when launching
dcomcnfg.exe. Any ideas about the correct settings of this component?

Thank you in advance for any further help
Franz

"S. Pidgorny <MVP>" <slav...@yahoo.com> schrieb im Newsbeitrag
news:Oo7OYtAS...@TK2MSFTNGP12.phx.gbl...

S. Pidgorny <MVP>

unread,
Mar 16, 2006, 4:05:37 AM3/16/06
to
Try to relax security on the certificate template - allow Everyone to enroll
(bad idea for prod, but will pinpoint the issue). If that works, you'll need
to find out which account enrolls.

I'd also try to play with the Web site account/security context. Sorry,
cannot help much further via the groups.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message

news:eOWjCOCS...@TK2MSFTNGP09.phx.gbl...

Franz Schenk

unread,
Mar 20, 2006, 6:02:22 AM3/20/06
to
Thank you for your help.

We were finally able to solve the problem. It was not a template permission
problem, but a DCOM problem. We found the soulution at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

1. We had to disable Basic authentication and enable Windows authentication
only (altough our Cert enrollment site runs only SSL)
2. Cert. Enrollment works only with the NetBIOS Name and not with the FQDN.
https://server1/certsrv works, https://server1.domain.com/certsrv does not.
(but in the file certdat.inc is the FQDN)

Have absolutely no idea why it works with the two requirements mentioned
above.

Franz


"S. Pidgorny <MVP>" <slav...@yahoo.com> schrieb im Newsbeitrag

news:OdxGRjNS...@tk2msftngp13.phx.gbl...

0 new messages