Windows Server 2003 Ent. Certificate Services Webenroll
I have a domain in which a Certificate Authority is set up and its an Enterprise Edition. I have got a CAproxy (webenrollment) set up as well in my DMZ. If I am trying to login to the caproxy with remote desktop and then try to do a http://caproxy/certsrv web enrollment then I can get a certificate but when I try to do the enrollment from same proxy on some another computer then I am getting the below error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode: newreq - New Request
Disposition: (never set)
Disposition message: (none)
Result: Access is denied. 0x80070005 (WIN32: 5)
COM Error Info: CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus: Access is denied. 0x80070005 (WIN32: 5)
Suggested Cause: The Certification Authority Service has not been started.
Can anyone tell me how to fix this problem. Thank you.
Re: Windows Server 2003 Ent. Certificate Services Webenroll
Alright, after doing some more testing and researching I am coming to a conclusion that if I use a machine in the same domain as the CA servers then only I can get the certificates. But if I use a machine which is not in the same domain or in neither of the domain then I start to get the same error message discussed above. Is there any workaround for this problem?
Re: Windows Server 2003 Ent. Certificate Services Webenroll
No, there is nothing in the CA or CAproxy eventlog, the error is only on the enrollment pages or such. I am going to setup a virtual test environment to see if I can get it up on clean installations or not.
Solution for this problem
You can try to solve this issue by stopping the IIS and open the metabase that you can find in c:\windows\system32\inetsrv\metabse.xml path and then open the file in Notepad. In the same file you will have to search for the string logonmethod and check that under those 3 virtual directories of the Web Enrollment the method is set to 2 or so. If it is then change all the 3 values to "3" and save the file, and it will then resemble the following:
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertControl"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertControl"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertEnroll"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertEnroll"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertSrv"
AccessFlags="AccessRead | AccessScript"
AppFriendlyName=""
AppIsolated="0"
AppRoot="/LM/W3svc/1/ROOT/CertSrv"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv"