|
|
You're in the
iis security
group:can't install user certificcate from other ad domains
iis security:
I have a certificate server running on a W2k3 SP2 server. this server is a global catalog. All user certificates are processed correctly when accessed by main root ad domain but when i tried to ask a user certificate from the web interface (certsrv), users from the second domain on my AD forest cannot authenticate, i have this in the iis log : 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 DOMAIN2\TEST 172.16.102.130 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 401 3 0 and in the web page after 3 attemps i have a http 401.3 non authorised error. With the mmc certificate, the CA server is not found at all. I tried to add manually rights for user of my domain2 on c:\windows\system32\certsrv, user certificate template, i went in active directory sites & services, show servicesl nodes, and i went in services, public keys services, and browse all objetcs and modify the security to include the group of my domain2 users. But it still doesn't work... Can somebody help
[quoted text, click to view]
On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: > Hi > > I have a certificate server running on a W2k3 SP2 server. this server is= a > global catalog. All user certificates are processed correctly when access= ed > by main root ad domain but when i tried to ask a user certificate from the > web interface (certsrv), users from the second domain on my AD forest can= not > authenticate, i have this in the iis log : > > 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 > DOMAIN2\TEST 172.16.102.130 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322= ;+=AD.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) > 401 3 0 > > and in the web page after 3 attemps i have a http 401.3 non authorised > error. > > With the mmc certificate, the CA server is not found at all. > > I tried to add manually rights for user of my domain2 on > c:\windows\system32\certsrv, user certificate template, i went in active > directory sites & services, show servicesl nodes, and i went in services, > public keys services, and browse all objetcs and modify the security to > include the group of my domain2 users. But it still doesn't work... > > Can somebody help It looks like the certsrv website content itself does not have NTFS ACLs which give permissions to domain2. Is trust between these two domains setup correctly? Are the domains in same or different AD Forests? The website content is not in AD, so I don't think you changed ACLs for the right thing. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
thks for your reply David,
domains are in the same ad forest. i triple checked the ntfs acl of the certsrv website, and i have added the domain2 group in wich all users of domain2 are and i added manually too the domain2\usertest. i did it with authorisation in the mmc console of iis admin and checked ntfs rights in the c:\windows\system32\certsrv folder. it looks ok. I modified the acl user template too by adding the same groupe in the security panel, same result. I am just wondering if there is a link with the fact i am using a windows 2003 standard and not enterprise, i know that CA on standard is limited regarding CA on enterprise 2003 os, maybe there are limitations regarding the access to a second domain because of that ? Fadhel "David Wang" <w3.4you@gmail.com> a écrit dans le message de news: 1192668798.449972.291040@e34g2000pro.googlegroups.com... [quoted text, click to view] On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: > Hi > > I have a certificate server running on a W2k3 SP2 server. this server is > a > global catalog. All user certificates are processed correctly when > accessed > by main root ad domain but when i tried to ask a user certificate from the > web interface (certsrv), users from the second domain on my AD forest > cannot > authenticate, i have this in the iis log : > > 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 > DOMAIN2\TEST 172.16.102.130 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) > 401 3 0 > > and in the web page after 3 attemps i have a http 401.3 non authorised > error. > > With the mmc certificate, the CA server is not found at all. > > I tried to add manually rights for user of my domain2 on > c:\windows\system32\certsrv, user certificate template, i went in active > directory sites & services, show servicesl nodes, and i went in services, > public keys services, and browse all objetcs and modify the security to > include the group of my domain2 users. But it still doesn't work... > > Can somebody help It looks like the certsrv website content itself does not have NTFS ACLs which give permissions to domain2. Is trust between these two domains setup correctly? Are the domains in same or different AD Forests? The website content is not in AD, so I don't think you changed ACLs for the right thing. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
Ok, with those errors, this doesn't look like IIS issue nor anything
to do with user certificates at all. It looks like users in domain2 cannot even authenticate to domain. You'll have to solve that at the AD level. IIS is not even running Cert Server right now because the remote user never authenticated and logged on for IIS to run Cert Server. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Oct 18, 9:22 am, "Fadoul" <fadhe...@free.fr> wrote: denews: %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63jfAD$z_=> i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or > u...@domain2.com, after 3 attemps i have the error 401.3 non authorised. > with domain\user no problem to access to auth to the web certsrv > application and to get any certificate configured > > "Ken Schaefer" <kenREM...@THISadOpenStatic.com> a =E9crit dans le message= _@TK2MSFTNGP06.phx.gbl... [quoted text, click to view] > > > > > Enterprise should only be needed if you need to edit Certificate Templa= tes > > (e.g. create your own cert templates) > > > At what point in the web enrolment process do you get the 401? When the > > user first attempts to access the site? or when the user is attempting = to > > enrol/get their certificate? > > > Cheers > > Ken > > > "Fadoul" <fadhe...@free.fr> wrote in message > >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl... > >> thks for your reply David, > > >> domains are in the same ad forest. i triple checked the ntfs acl of the > >> certsrv website, and i have added the domain2 group in wich all users = of > >> domain2 are and i added manually too the domain2\usertest. i did it wi= th > >> authorisation in the mmc console of iis admin and checked ntfs rights = in > >> the c:\windows\system32\certsrv folder. it looks ok. > > >> I modified the acl user template too by adding the same groupe in the > >> security panel, same result. I am just wondering if there is a link wi= th > >> the fact i am using a windows 2003 standard and not enterprise, i know > >> that CA on standard is limited regarding CA on enterprise 2003 os, may= be > >> there are limitations regarding the access to a second domain because = of > >> that ? > > >> Fadhel > >> "David Wang" <w3.4...@gmail.com> a =E9crit dans le message de news: > >> 1192668798.449972.291...@e34g2000pro.googlegroups.com... > >> On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: > >>> Hi > > >>> I have a certificate server running on a W2k3 SP2 server. this server > >>> is a > >>> global catalog. All user certificates are processed correctly when > >>> accessed > >>> by main root ad domain but when i tried to ask a user certificate from > >>> the > >>> web interface (certsrv), users from the second domain on my AD forest > >>> cannot > >>> authenticate, i have this in the iis log : > > >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 > >>> DOMAIN2\TEST 172.16.102.130 > >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.= 4322;+=AD=AD.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) > >>> 401 3 0 > > >>> and in the web page after 3 attemps i have a http 401.3 non authorised > >>> error. > > >>> With the mmc certificate, the CA server is not found at all. > > >>> I tried to add manually rights for user of my domain2 on > >>> c:\windows\system32\certsrv, user certificate template, i went in act= ive > >>> directory sites & services, show servicesl nodes, and i went in > >>> services, > >>> public keys services, and browse all objetcs and modify the security = to > >>> include the group of my domain2 users. But it still doesn't work... > > >>> Can somebody help > > >> It looks like the certsrv website content itself does not have NTFS > >> ACLs which give permissions to domain2. Is trust between these two > >> domains setup correctly? Are the domains in same or different AD > >> Forests? > > >> The website content is not in AD, so I don't think you changed ACLs > >> for the right thing. > > >> //David > >>http://w3-4u.blogspot.com > >>http://blogs.msdn.com/David.Wang > >> //- Hide quoted text - > > - Show quoted text -
i cannot auth on the https://gc.domain.com/certsrv with domain2\user or user@domain2.com, after 3 attemps i have the error 401.3 non authorised. with domain\user no problem to access to auth to the web certsrv application and to get any certificate configured "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> a écrit dans le message de news: %23z1pdGaEIHA.4544@TK2MSFTNGP06.phx.gbl... [quoted text, click to view] > Enterprise should only be needed if you need to edit Certificate Templates > (e.g. create your own cert templates) > > At what point in the web enrolment process do you get the 401? When the > user first attempts to access the site? or when the user is attempting to > enrol/get their certificate? > > Cheers > Ken > > "Fadoul" <fadhelbb@free.fr> wrote in message > news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl... >> thks for your reply David, >> >> domains are in the same ad forest. i triple checked the ntfs acl of the >> certsrv website, and i have added the domain2 group in wich all users of >> domain2 are and i added manually too the domain2\usertest. i did it with >> authorisation in the mmc console of iis admin and checked ntfs rights in >> the c:\windows\system32\certsrv folder. it looks ok. >> >> I modified the acl user template too by adding the same groupe in the >> security panel, same result. I am just wondering if there is a link with >> the fact i am using a windows 2003 standard and not enterprise, i know >> that CA on standard is limited regarding CA on enterprise 2003 os, maybe >> there are limitations regarding the access to a second domain because of >> that ? >> >> Fadhel >> "David Wang" <w3.4you@gmail.com> a écrit dans le message de news: >> 1192668798.449972.291040@e34g2000pro.googlegroups.com... >> On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: >>> Hi >>> >>> I have a certificate server running on a W2k3 SP2 server. this server >>> is a >>> global catalog. All user certificates are processed correctly when >>> accessed >>> by main root ad domain but when i tried to ask a user certificate from >>> the >>> web interface (certsrv), users from the second domain on my AD forest >>> cannot >>> authenticate, i have this in the iis log : >>> >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 >>> DOMAIN2\TEST 172.16.102.130 >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) >>> 401 3 0 >>> >>> and in the web page after 3 attemps i have a http 401.3 non authorised >>> error. >>> >>> With the mmc certificate, the CA server is not found at all. >>> >>> I tried to add manually rights for user of my domain2 on >>> c:\windows\system32\certsrv, user certificate template, i went in active >>> directory sites & services, show servicesl nodes, and i went in >>> services, >>> public keys services, and browse all objetcs and modify the security to >>> include the group of my domain2 users. But it still doesn't work... >>> >>> Can somebody help >> >> >> It looks like the certsrv website content itself does not have NTFS >> ACLs which give permissions to domain2. Is trust between these two >> domains setup correctly? Are the domains in same or different AD >> Forests? >> >> The website content is not in AD, so I don't think you changed ACLs >> for the right thing. >> >> >> //David >> http://w3-4u.blogspot.com >> http://blogs.msdn.com/David.Wang >> // >> >> >
This is what i thought too, because in the iis log i don't see any error. I
checked logs in windows event viewer on cg.domain1.com too, and i saw nothing, i have to check what audit configuration i have to modify to have more infos. regarding the auth in ad, domain2 is in the main root forest and users from domain2 can access to shares on domain1 without any problem so i don't know where to check ? "David Wang" <w3.4you@gmail.com> a écrit dans le message de news: 1192751623.662142.207390@z24g2000prh.googlegroups.com... Ok, with those errors, this doesn't look like IIS issue nor anything to do with user certificates at all. It looks like users in domain2 cannot even authenticate to domain. You'll have to solve that at the AD level. IIS is not even running Cert Server right now because the remote user never authenticated and logged on for IIS to run Cert Server. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Oct 18, 9:22 am, "Fadoul" <fadhe...@free.fr> wrote: > i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or > u...@domain2.com, after 3 attemps i have the error 401.3 non authorised. > with domain\user no problem to access to auth to the web certsrv > application and to get any certificate configured > > "Ken Schaefer" <kenREM...@THISadOpenStatic.com> a écrit dans le message > denews: > %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63jfAD$z__@TK2MSFTNGP06.phx.gbl... > > > > > Enterprise should only be needed if you need to edit Certificate > > Templates > > (e.g. create your own cert templates) > > > At what point in the web enrolment process do you get the 401? When the > > user first attempts to access the site? or when the user is attempting > > to > > enrol/get their certificate? > > > Cheers > > Ken > > > "Fadoul" <fadhe...@free.fr> wrote in message > >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl... > >> thks for your reply David, > > >> domains are in the same ad forest. i triple checked the ntfs acl of the > >> certsrv website, and i have added the domain2 group in wich all users > >> of > >> domain2 are and i added manually too the domain2\usertest. i did it > >> with > >> authorisation in the mmc console of iis admin and checked ntfs rights > >> in > >> the c:\windows\system32\certsrv folder. it looks ok. > > >> I modified the acl user template too by adding the same groupe in the > >> security panel, same result. I am just wondering if there is a link > >> with > >> the fact i am using a windows 2003 standard and not enterprise, i know > >> that CA on standard is limited regarding CA on enterprise 2003 os, > >> maybe > >> there are limitations regarding the access to a second domain because > >> of > >> that ? > > >> Fadhel > >> "David Wang" <w3.4...@gmail.com> a écrit dans le message de news: > >> 1192668798.449972.291...@e34g2000pro.googlegroups.com... > >> On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: > >>> Hi > > >>> I have a certificate server running on a W2k3 SP2 server. this server > >>> is a > >>> global catalog. All user certificates are processed correctly when > >>> accessed > >>> by main root ad domain but when i tried to ask a user certificate from > >>> the > >>> web interface (certsrv), users from the second domain on my AD forest > >>> cannot > >>> authenticate, i have this in the iis log : > > >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 > >>> DOMAIN2\TEST 172.16.102.130 > >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) > >>> 401 3 0 > > >>> and in the web page after 3 attemps i have a http 401.3 non authorised > >>> error. > > >>> With the mmc certificate, the CA server is not found at all. > > >>> I tried to add manually rights for user of my domain2 on > >>> c:\windows\system32\certsrv, user certificate template, i went in > >>> active > >>> directory sites & services, show servicesl nodes, and i went in > >>> services, > >>> public keys services, and browse all objetcs and modify the security > >>> to > >>> include the group of my domain2 users. But it still doesn't work... > > >>> Can somebody help > > >> It looks like the certsrv website content itself does not have NTFS > >> ACLs which give permissions to domain2. Is trust between these two > >> domains setup correctly? Are the domains in same or different AD > >> Forests? > > >> The website content is not in AD, so I don't think you changed ACLs > >> for the right thing. > > >> //David > >>http://w3-4u.blogspot.com > >>http://blogs.msdn.com/David.Wang > >> //- Hide quoted text - > > - Show quoted text -
Enterprise should only be needed if you need to edit Certificate Templates
(e.g. create your own cert templates) At what point in the web enrolment process do you get the 401? When the user first attempts to access the site? or when the user is attempting to enrol/get their certificate? Cheers Ken [quoted text, click to view] "Fadoul" <fadhelbb@free.fr> wrote in message
news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl... > thks for your reply David, > > domains are in the same ad forest. i triple checked the ntfs acl of the > certsrv website, and i have added the domain2 group in wich all users of > domain2 are and i added manually too the domain2\usertest. i did it with > authorisation in the mmc console of iis admin and checked ntfs rights in > the c:\windows\system32\certsrv folder. it looks ok. > > I modified the acl user template too by adding the same groupe in the > security panel, same result. I am just wondering if there is a link with > the fact i am using a windows 2003 standard and not enterprise, i know > that CA on standard is limited regarding CA on enterprise 2003 os, maybe > there are limitations regarding the access to a second domain because of > that ? > > Fadhel > "David Wang" <w3.4you@gmail.com> a écrit dans le message de news: > 1192668798.449972.291040@e34g2000pro.googlegroups.com... > On Oct 17, 7:43 am, "Fadoul" <fadhe...@free.fr> wrote: >> Hi >> >> I have a certificate server running on a W2k3 SP2 server. this server is >> a >> global catalog. All user certificates are processed correctly when >> accessed >> by main root ad domain but when i tried to ask a user certificate from >> the >> web interface (certsrv), users from the second domain on my AD forest >> cannot >> authenticate, i have this in the iis log : >> >> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443 >> DOMAIN2\TEST 172.16.102.130 >> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) >> 401 3 0 >> >> and in the web page after 3 attemps i have a http 401.3 non authorised >> error. >> >> With the mmc certificate, the CA server is not found at all. >> >> I tried to add manually rights for user of my domain2 on >> c:\windows\system32\certsrv, user certificate template, i went in active >> directory sites & services, show servicesl nodes, and i went in services, >> public keys services, and browse all objetcs and modify the security to >> include the group of my domain2 users. But it still doesn't work... >> >> Can somebody help > > > It looks like the certsrv website content itself does not have NTFS > ACLs which give permissions to domain2. Is trust between these two > domains setup correctly? Are the domains in same or different AD > Forests? > > The website content is not in AD, so I don't think you changed ACLs > for the right thing. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |