32618 Split Enrollment Issue Again
- Remove From My Forums
-
Question
-
Got certificate servces and certificate services web enrollment installed on a Server 2012r2 server
From the server itself I can access the http://server/certsrv/ or https://server/certsrv/ site
I'd like to be able to access the site though from Windows workstations on the domain when logged as as a Domain Admin or other specified account. On the Default, and CertSrv in IIS under Authentication I Enabled Windows Authentication and Disabled Anonymous. When I go to the site from a workstation logged on as myself (Domain Admin) I get a logon box. When I enter my creds I get the HTTP Error 401. The requested resource requires user authentication.
What am I missing??
Ideally I'd like if I'm logged on to a domain computer as myself or another Domain Admin, the site just comes up and not the logon box. The c:\windows\system32\certsrv folder already has local admins added which contains domain admins as does the C:\inetpub folder
Answers
-
Ok, I think I know what's the problem.. give this a try:
- Remove your IIS role, and then remove the C:\inetpub if it still exists after uninstallation of IIS
- Remove SPN you have created
- Restart the server
- Add Certification Authority Web Enrollment feature and make sure that Negotiate is prior to NTLM and Anonymous is disabled in IIS
- Issue with mmc a SSL certificate for let's say CN=pki.mytest.com and import it witha private key to the Personal store of the Local Computer certificate store (certlm.msc) of PKI server
- Go to IIS on the PKI, click Default Web Site, Bindings (on the right) and add HTTPS on 443 port (no hostname) and select your pki.mytest.com certificate
- Now go to your test client, add pki.mytest.com fake entry to your hosts file (run notepad as administrator and edit C:\Windows\System32\drivers\etc\hosts ) so that pki.mytest.com points to the IP of your PKI server. Confirm that using cmd and "ping pki.mytest.com" command.
- On the test client go to IE settings and add https://pki.mytest.com to Local Intranet. Close and open browser (not required, but doesn't hurt)
- Make a final test by connecting to https://pki.mytest.com/certsrv
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.
- Marked as answer by Friday, August 29, 2014 9:40 PM
-
Yep! So if your server is calledissuingca.domain.com, once user tries to connect to your server with Kerberos authn, it will try to use ndes service account password, but your App pool for certsrv is running under default (computer HOST).
What you can try to do is to set your App Pool for certsrv to run under ndesservice account, do iisreset and try again to connect with client to your issuingca.domain.com
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.
- Marked as answer by Carito Friday, August 29, 2014 9:39 PM
-
Please disable "Enable Kernel mode authentication" for /certsrv folder and try again with spn set to ndesservice and application pool identity also set to ndesservice. You can read more here on this: http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/06/kernel-mode-authentication.aspx
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.
- Marked as answer by Carito Friday, August 29, 2014 9:39 PM
-
It seems that I needed to go into IIS and Authentication | Windows Authentication | Providers and then move NTLM above Negotiate. Once I did this I was able to get to the site from domain computers.
I have a couple questions about this though. Basically all Domain Users can access this. So even though its set for Windows Authentication, it acts like Anonymous.
Sooo, guessing I could edit the web.config or something and remove Domain Users and Leave Admins, Is this though a best practice???? OR are typically all users supposed to be able to hit the site and request a cert??
Thanks!
- Marked as answer by Amy Wang_ Wednesday, September 10, 2014 3:50 AM
-
Microsoft recommends to have a publicly routable UPN suffix, so instead of "mydomain.local' you should have "mydomain.com" as UPN suffix (for Cloud scenarios purposes). Then you add "mydomain.com" zone to your DNS server. Once you do, you should utilize split brain DNS scenario for your PKI (and other services) to create DNS record like "pki.mydomain.com" pointing with internal IP to your Front End Server where you have your Web Enrollment, OCSP and Repository for PKI certs and crls. Issuing CA should be used for issuing certs only, but it doesn't mean that is always used that way (many times it is integrated with Web Enrollment and other roles - depending on your server resources, effort you want to put to separate roles with security guidelines, etc).
For more information, I suggest you start with reading Brian's Komar book "Windows Server 2008 PKI and Certificate Security" and find best practices on TechNet. If you don't want to deep dive into PKI, simply hire PKI consultants.
I suggest to close this thread as issue has been identified and fixed.
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.
- Marked as answer by Carito Friday, August 29, 2014 9:38 PM
Source: https://social.technet.microsoft.com/Forums/en-US/d3fa940a-87db-4554-9288-98823877276c/cant-access-certsrv-from-domain-machine-using-windows-authentication
0 Response to "32618 Split Enrollment Issue Again"
Post a Comment