Announcement

Collapse
No announcement yet.

ca certsrv

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ca certsrv

    I am trying to set up a new exchange server.

    I wanted to use a ssl connection for users. In creating the ca server I am not able to bowse to the http:\\servername\certsrv??? It bring up "page cannot be displayed" error message

  • #2
    Re: ca certsrv

    Originally posted by aaroncward
    ...I am not able to bowse to the http:\\servername\certsrv??? It bring up "page cannot be displayed" error message
    Did you install web enrollment support for certificate services? This is what allows you to browse to the url you mentioned. If you're not sure you should check because it is a seperate component and typically not included if you do not explicity check the box when installing certificate services.
    Last edited by ahinson; 4th February 2006, 01:29.
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: ca certsrv

      I am having the same problem: I can't access the website
      \\servername\certsrv.
      I get the same error message 'page cannot be displayed'.

      I used to be able to get to that website. I issued a certificate and I installed SSL for OWA a while back. OWA with SSL is working w/o any issues, I just can't get to the \\servername\certsrv website.

      Web enrollment support for certificate services is installed.

      I am puzzled.

      Any ideas?

      Comment


      • #4
        Re: ca certsrv

        Steps I would take (and if you are lazy, you might as well just jump to step 5):

        1. Ensure the website and directory is actually installed and configured properly for /certsrv/

        2. Check %systemroot%\system32\logfiles\<website folder here>\ for logging entries of your attempts to get to /certsrv/ What status codes are displayed when you're trying to hit the /certsrv/ URL? 404 (not found)? 403 (forbidden, security related issue)?

        3. Enable auditing in gpmc.msc for all failure events in all auditing categories. Enable auditing on all server hard drives starting with the root, EVERYONE FULL CONTROL which equates to enabling all audit failure events for the special EVERYONE group.

        After enabling auditing, attempt to browse to the /certsrv/ URL. Check your Windows Event Viewer (security log) for any failure events. With IIS security failures usually revolve around NTFS permission problems or user rights policies (ie allowing access to this computer from the network, denying access to this computer from the network, those are the two big ones). Also check your authentication method for the website in IIS which hosts /certsrv/. What type of access is allowed? Anonymous? Integrated? Basic (clear text)? Digest? Integrated will usually do the trick if you're an administrator on the LAN, however, you may choose Basic and provide clear text administrative credentials for the web server. Security access here is going to tie back to both NTFS permissions on your server drives hosting inetpub, and sometimes pieces buried under \system32\, and also user rights which I spoke about above. ie. If administrator is specified as a user granted the right of "deny access to this computer from the network", guess what credentials are not going to work when you try hitting ANY website on that IIS server? You guessed it, local administrator.

        Finally, in the Windows security event log, if you are seeing logon failures saying something like "user has not been granted the specified logon type", this points to a user rights issue. Logon type plays a role in this particular situation. Type 2 is local. Type 3 is network. Type 8 is logon using basic (clear text). These are the biggies I've battled with when troubleshooting IIS.

        Using auditing in Windows can be tedious but it also presents a feeling of accomplishment when you crack a tough puzzle. IIS is becoming more and more secure with each release. Hardening your systems usually means working out some problems with applications that break. IIS is particularly prone to breaking when it comes to tightening security around the inetpub area as well as the operating system directories when website scripts are involved.

        4. Another good utility I have used time and time again for a situation like this is http://www.sysinternals.com/ filemon and regmon. In this case, use filemon to scan file I/O activity. Filemon is useful in telling you when someone or something is trying to look at a file but it is unable to for some reason (file security, file doesn't exist, etc.)

        5. Everything else above failed you? Now here's a goldmine which I just discovered a few months ago from Microsoft that will do most of the dirty work for you. Authentication and Access Control Diagnostics 1.0 http://www.microsoft.com/downloads/d...DisplayLang=en

        Jas
        VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
        boche.net - VMware Virtualization Evangelist
        My advice has no warranties. Follow at your own risk.

        Comment


        • #5
          Re: ca certsrv

          I have just had this problem - https://<servername>/certsrv forbidden. Firefox told me that the actual error was "Virtual Directory Cannot be listed", so I looked further into things.

          In the %systemroot%\system32\certsrv folder the homepage file is default.asp

          However in the properties for the certsrv folder under IIS admin, the "default content page" only listed Default.htm and Default.aspx.

          I simply added default.asp to the default content pages list, hit apply and all was well.

          I suspect the cause might have been related to an error I received during the re-installation of CA Services. I received a message along the lines of "Windows Components Wizard - Internet Information Services reported error something or other".

          This was a re-install of CA Services, since I had set the CN to something other than the hostname, and then I read Daniel's How-To and so went back and re-installed.

          A picture for reference:
          Attached Files

          Comment


          • #6
            Re: ca certsrv

            Originally posted by aaroncward View Post
            I am trying to set up a new exchange server.

            I wanted to use a ssl connection for users. In creating the ca server I am not able to bowse to the http:\\servername\certsrv??? It bring up "page cannot be displayed" error message
            Did you try https://servername/certsrv with forward slashes instead?
            Network Engineers do IT under the desk

            Comment


            • #7
              Re: ca certsrv

              Originally posted by RobW View Post
              Did you try https://servername/certsrv with forward slashes instead?
              I think modern versions of IE and Mozilla derivatives automatically change backslashes into forward slashes, so either would (should) work.

              Comment

              Working...
              X