Anti-Spyware Forums


Reply
Thread Tools Display Modes

Problems using the RAS and IAS certificate Template

 
 
Ken
Guest
Posts: n/a

 
      27-10-2004, 04:53 PM
I am trying to use the above template to deploy certificates to IAS servers.
In my test lab I have a windows 2003 DC which I have installed an Enterprise
CA. In the certificates template I have published the template in Active
Directory. On the security tab of the certificate I have added the RAS and
IAS security group which the server I want to request a certificate for is a
member of and given it read, write, enroll and auto-enroll permissions.
On the server I have loaded the certificate snap in and in the Computer
Personal folder I have requested a certificate but the only option listed is
computer certificate. I would appreciate any help on what I am doing wrong.

cheers

Ken

 
Reply With Quote
 
 
 
 
Steven L Umbach
Guest
Posts: n/a

 
      27-10-2004, 05:48 PM
If you have autoenroll configured the certificate should be issued
automatically. Try running gpupdate /force of the computer to see if that
helps.The computer certificate should work for your purpose anyhow if you
want to give that a try. The link below may help if you download and read
chapter 16 for PKI deployment. --- Steve

http://www.microsoft.com/downloads/d...displaylang=en
http://www.microsoft.com/technet/pro.../autoenro.mspx
-- autoenrollment procedures.

"Ken" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am trying to use the above template to deploy certificates to IAS
>servers.
> In my test lab I have a windows 2003 DC which I have installed an
> Enterprise
> CA. In the certificates template I have published the template in Active
> Directory. On the security tab of the certificate I have added the RAS and
> IAS security group which the server I want to request a certificate for is
> a
> member of and given it read, write, enroll and auto-enroll permissions.
> On the server I have loaded the certificate snap in and in the Computer
> Personal folder I have requested a certificate but the only option listed
> is
> computer certificate. I would appreciate any help on what I am doing
> wrong.
>
> cheers
>
> Ken
>



 
Reply With Quote
 
 
 
 
Brian Komar
Guest
Posts: n/a

 
      27-10-2004, 07:29 PM
In article <kbRfd.322147$3l3.38759@attbi_s03>, n9rou@n0-spam-for-me-
comcast.net says...
> If you have autoenroll configured the certificate should be issued
> automatically. Try running gpupdate /force of the computer to see if that
> helps.The computer certificate should work for your purpose anyhow if you
> want to give that a try. The link below may help if you download and read
> chapter 16 for PKI deployment. --- Steve
>
> http://www.microsoft.com/downloads/d...displaylang=en
> http://www.microsoft.com/technet/pro.../autoenro.mspx
> -- autoenrollment procedures.
>
> "Ken" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I am trying to use the above template to deploy certificates to IAS
> >servers.
> > In my test lab I have a windows 2003 DC which I have installed an
> > Enterprise
> > CA. In the certificates template I have published the template in Active
> > Directory. On the security tab of the certificate I have added the RAS and
> > IAS security group which the server I want to request a certificate for is
> > a
> > member of and given it read, write, enroll and auto-enroll permissions.
> > On the server I have loaded the certificate snap in and in the Computer
> > Personal folder I have requested a certificate but the only option listed
> > is
> > computer certificate. I would appreciate any help on what I am doing
> > wrong.
> >
> > cheers
> >
> > Ken
> >

>
>
>

Other possible issues:
1) Is the DC running Standard Edition or Enterprise Edition. Only
Enterprise Edition can issue v2 certificate templates (RAS and IAS
Servers is a v2 template).

2) Did not see that you ahve added the RAS and IAS Servers certificate
template to the Certificate Templates container in the Certification
Authority console. It must be available for enrollment.

3) It does sound like you have connected to the Machine store
(visibility of the COmptuer certificate, so that is not an issue)

4) Is the DC in a different domain than the forest root domain. The
default perms is only for the forest root domain.

HTH,
Brian
 
Reply With Quote
 
Ken
Guest
Posts: n/a

 
      27-10-2004, 08:49 PM
Hi Brian

Thanks for the reply. THE DC is running Enterprise edition and is in the
root domain. in point 2 you mention adding the cert into the certificate
templates container in the certification Authority Console. If you could
explain this i would be grateful. Also if you can recommend any good docs on
autoenrollment I would be grateful.

Thanks

Ken

"Brian Komar" wrote:

> In article <kbRfd.322147$3l3.38759@attbi_s03>, n9rou@n0-spam-for-me-
> comcast.net says...
> > If you have autoenroll configured the certificate should be issued
> > automatically. Try running gpupdate /force of the computer to see if that
> > helps.The computer certificate should work for your purpose anyhow if you
> > want to give that a try. The link below may help if you download and read
> > chapter 16 for PKI deployment. --- Steve
> >
> > http://www.microsoft.com/downloads/d...displaylang=en
> > http://www.microsoft.com/technet/pro.../autoenro.mspx
> > -- autoenrollment procedures.
> >
> > "Ken" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > >I am trying to use the above template to deploy certificates to IAS
> > >servers.
> > > In my test lab I have a windows 2003 DC which I have installed an
> > > Enterprise
> > > CA. In the certificates template I have published the template in Active
> > > Directory. On the security tab of the certificate I have added the RAS and
> > > IAS security group which the server I want to request a certificate for is
> > > a
> > > member of and given it read, write, enroll and auto-enroll permissions.
> > > On the server I have loaded the certificate snap in and in the Computer
> > > Personal folder I have requested a certificate but the only option listed
> > > is
> > > computer certificate. I would appreciate any help on what I am doing
> > > wrong.
> > >
> > > cheers
> > >
> > > Ken
> > >

> >
> >
> >

> Other possible issues:
> 1) Is the DC running Standard Edition or Enterprise Edition. Only
> Enterprise Edition can issue v2 certificate templates (RAS and IAS
> Servers is a v2 template).
>
> 2) Did not see that you ahve added the RAS and IAS Servers certificate
> template to the Certificate Templates container in the Certification
> Authority console. It must be available for enrollment.
>
> 3) It does sound like you have connected to the Machine store
> (visibility of the COmptuer certificate, so that is not an issue)
>
> 4) Is the DC in a different domain than the forest root domain. The
> default perms is only for the forest root domain.
>
> HTH,
> Brian
>

 
Reply With Quote
 
Brian Komar
Guest
Posts: n/a

 
      28-10-2004, 02:08 AM
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Hi Brian
>
> Thanks for the reply. THE DC is running Enterprise edition and is in the
> root domain. in point 2 you mention adding the cert into the certificate
> templates container in the certification Authority Console. If you could
> explain this i would be grateful. Also if you can recommend any good docs on
> autoenrollment I would be grateful.
>
> Thanks
>
> Ken
>
>
>

At the DC, open the Certification Authority console. In the console
tree, right-click Certificate Templates, and click New Certificate
Template to Issue. Choose the RAS and IAS Server certificate template.

The autoenrollment whitepaper is available at

http://www.microsoft.com/technet/pro...2003/technolog
ies/security/autoenro.mspx

I also cover autoenrollment in my PKI book.
http://www.microsoft.com/mspress/books/6745.asp in Chapter 12 "Issuing
Certificates"

Brian
 
Reply With Quote
 
Ken
Guest
Posts: n/a

 
      28-10-2004, 08:21 AM
Brain

Thanks for your help on this. One other question. We are deploying Live
communication server and as this uses TLS it requires both server and client
authentication. There is only a standalone CA deployed for this project. In
this scenario would it be possible to make a copy of the RAS/IAS certificate
template and configure it for deployment to all the kive communication
servers. I guess what I am really asking is there any problems using
templates with a standalone CA and how they are deployed to the LCS servers.
Can they still be autoenrolled or do I have to request them via the
//server/certsrv web page

Many Thanks

Ken

"Brian Komar" wrote:

> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
> > Hi Brian
> >
> > Thanks for the reply. THE DC is running Enterprise edition and is in the
> > root domain. in point 2 you mention adding the cert into the certificate
> > templates container in the certification Authority Console. If you could
> > explain this i would be grateful. Also if you can recommend any good docs on
> > autoenrollment I would be grateful.
> >
> > Thanks
> >
> > Ken
> >
> >
> >

> At the DC, open the Certification Authority console. In the console
> tree, right-click Certificate Templates, and click New Certificate
> Template to Issue. Choose the RAS and IAS Server certificate template.
>
> The autoenrollment whitepaper is available at
>
> http://www.microsoft.com/technet/pro...2003/technolog
> ies/security/autoenro.mspx
>
> I also cover autoenrollment in my PKI book.
> http://www.microsoft.com/mspress/books/6745.asp in Chapter 12 "Issuing
> Certificates"
>
> Brian
>

 
Reply With Quote
 
Brian Komar
Guest
Posts: n/a

 
      28-10-2004, 10:30 AM
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Brain
>
> Thanks for your help on this. One other question. We are deploying Live
> communication server and as this uses TLS it requires both server and client
> authentication. There is only a standalone CA deployed for this project. In
> this scenario would it be possible to make a copy of the RAS/IAS certificate
> template and configure it for deployment to all the kive communication
> servers. I guess what I am really asking is there any problems using
> templates with a standalone CA and how they are deployed to the LCS servers.
> Can they still be autoenrolled or do I have to request them via the
> //server/certsrv web page
>
> Many Thanks
>
> Ken
>


Standalone CAs do not support certificate templates, nor can you create
copies of certificate templates. You are correct that you would have to
request the certs via a manual mechanism, such as the certificate
services web enrollment page.

See the Advanced Enrollment white paper for more details on these types
of scenarios.

http://www.microsoft.com/technet/pro...2003/technolog
ies/security/advcert.mspx

Brian

> "Brian Komar" wrote:
>
> > In article <(E-Mail Removed)>,
> > (E-Mail Removed) says...
> > > Hi Brian
> > >
> > > Thanks for the reply. THE DC is running Enterprise edition and is in the
> > > root domain. in point 2 you mention adding the cert into the certificate
> > > templates container in the certification Authority Console. If you could
> > > explain this i would be grateful. Also if you can recommend any good docs on
> > > autoenrollment I would be grateful.
> > >
> > > Thanks
> > >
> > > Ken
> > >
> > >
> > >

> > At the DC, open the Certification Authority console. In the console
> > tree, right-click Certificate Templates, and click New Certificate
> > Template to Issue. Choose the RAS and IAS Server certificate template.
> >
> > The autoenrollment whitepaper is available at
> >
> > http://www.microsoft.com/technet/pro...2003/technolog
> > ies/security/autoenro.mspx
> >
> > I also cover autoenrollment in my PKI book.
> > http://www.microsoft.com/mspress/books/6745.asp in Chapter 12 "Issuing
> > Certificates"
> >
> > Brian
> >

>

 
Reply With Quote
 
sgilmour sgilmour is offline
Junior Member
Join Date: Oct 2011
Posts: 1

 
      13-10-2011, 04:05 PM
Hi I am having similar issues. I have a 2008 Server R2 64 bit VM with Enterprise Certificate Authority setup. I have setup the RAS and IAS Server Certificate and also setup the Certificate Services Client- Auto enrollment then did the gpupdate /force.
Now I want to use that same certificate on my 2003 Server VM for IAS for use with EAP-TLS.
On my 2003 Server I have registered the IAS Server in Active Directory and also done netsh ras add registeredserver SQA.net 2008SERVERR2. Both servers are on the same domain SQA.net. When I do an mmc I am not seeing the RAS and IAS Server Templete. Am I missing something?
Thanks
Scott
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The Cleaner finds RAS trojans, I can't find them on harddrive jbclem Virus Information 6 21-11-2007 12:14 AM
Odd Issue with DHCP leases & RAS zebulebu Security Software 0 06-03-2006 06:20 PM
Solution for securing VPN/RAS using 2-factor SMS Authentication Joshua Lim Security Software 0 12-06-2005 09:37 AM
Critical Security Update for NT 4.0 kills RAS Don Security Software 1 13-08-2003 04:38 PM
Security Patch for Q823803 causes RAS startup failure Doug Security Software 2 24-07-2003 08:15 PM


All times are GMT. The time now is 06:17 AM.