Windows Server 2003 Ent. Certificate Services Webenroll

[pushpendra]

Sponsored Links

I have a domain in which a Certificate Authority is set up and its an Enterprise Edition. I have got a CAproxy (webenrollment) set up as well in my DMZ. If I am trying to login to the caproxy with remote desktop and then try to do a http://caproxy/certsrv web enrollment then I can get a certificate but when I try to do the enrollment from same proxy on some another computer then I am getting the below error:

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode: newreq - New Request
Disposition: (never set)
Disposition message: (none)
Result: Access is denied. 0x80070005 (WIN32: 5)
COM Error Info: CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus: Access is denied. 0x80070005 (WIN32: 5)
Suggested Cause: The Certification Authority Service has not been started.

Can anyone tell me how to fix this problem. Thank you.

[pushpendra]

Alright, after doing some more testing and researching I am coming to a conclusion that if I use a machine in the same domain as the CA servers then only I can get the certificates. But if I use a machine which is not in the same domain or in neither of the domain then I start to get the same error message discussed above. Is there any workaround for this problem?

[Big Fish]

Can you try to check if there are any errors in the event log on the CA itself? I think that you will have to open a support incident with Microsoft's support services to get this problem resolved.

[pushpendra]

No, there is nothing in the CA or CAproxy eventlog, the error is only on the enrollment pages or such. I am going to setup a virtual test environment to see if I can get it up on clean installations or not.

[Benjamin]

You can try to solve this issue by stopping the IIS and open the metabase that you can find in c:\windows\system32\inetsrv\metabse.xml path and then open the file in Notepad. In the same file you will have to search for the string logonmethod and check that under those 3 virtual directories of the Web Enrollment the method is set to 2 or so. If it is then change all the 3 values to "3" and save the file, and it will then resemble the following:

</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertControl"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertControl"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertEnroll"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertEnroll"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertSrv"
AccessFlags="AccessRead | AccessScript"
AppFriendlyName=""
AppIsolated="0"
AppRoot="/LM/W3svc/1/ROOT/CertSrv"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv"