Problems using the RAS and IAS certificate Template

Discussion in 'Security Software' started by Ken, Oct 27, 2004.

  1. Ken

    Ken Guest

    I am trying to use the above template to deploy certificates to IAS servers.
    In my test lab I have a windows 2003 DC which I have installed an Enterprise
    CA. In the certificates template I have published the template in Active
    Directory. On the security tab of the certificate I have added the RAS and
    IAS security group which the server I want to request a certificate for is a
    member of and given it read, write, enroll and auto-enroll permissions.
    On the server I have loaded the certificate snap in and in the Computer
    Personal folder I have requested a certificate but the only option listed is
    computer certificate. I would appreciate any help on what I am doing wrong.

    cheers

    Ken
     
    Ken, Oct 27, 2004
    #1
    1. Advertisements

  2. If you have autoenroll configured the certificate should be issued
    automatically. Try running gpupdate /force of the computer to see if that
    helps.The computer certificate should work for your purpose anyhow if you
    want to give that a try. The link below may help if you download and read
    chapter 16 for PKI deployment. --- Steve

    http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
    -- autoenrollment procedures.
     
    Steven L Umbach, Oct 27, 2004
    #2
    1. Advertisements

  3. Ken

    Brian Komar Guest

    Other possible issues:
    1) Is the DC running Standard Edition or Enterprise Edition. Only
    Enterprise Edition can issue v2 certificate templates (RAS and IAS
    Servers is a v2 template).

    2) Did not see that you ahve added the RAS and IAS Servers certificate
    template to the Certificate Templates container in the Certification
    Authority console. It must be available for enrollment.

    3) It does sound like you have connected to the Machine store
    (visibility of the COmptuer certificate, so that is not an issue)

    4) Is the DC in a different domain than the forest root domain. The
    default perms is only for the forest root domain.

    HTH,
    Brian
     
    Brian Komar, Oct 27, 2004
    #3
  4. Ken

    Ken Guest

    Hi Brian

    Thanks for the reply. THE DC is running Enterprise edition and is in the
    root domain. in point 2 you mention adding the cert into the certificate
    templates container in the certification Authority Console. If you could
    explain this i would be grateful. Also if you can recommend any good docs on
    autoenrollment I would be grateful.

    Thanks

    Ken
     
    Ken, Oct 27, 2004
    #4
  5. Ken

    Brian Komar Guest

    At the DC, open the Certification Authority console. In the console
    tree, right-click Certificate Templates, and click New Certificate
    Template to Issue. Choose the RAS and IAS Server certificate template.

    The autoenrollment whitepaper is available at

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
    ies/security/autoenro.mspx

    I also cover autoenrollment in my PKI book.
    http://www.microsoft.com/mspress/books/6745.asp in Chapter 12 "Issuing
    Certificates"

    Brian
     
    Brian Komar, Oct 28, 2004
    #5
  6. Ken

    Ken Guest

    Brain

    Thanks for your help on this. One other question. We are deploying Live
    communication server and as this uses TLS it requires both server and client
    authentication. There is only a standalone CA deployed for this project. In
    this scenario would it be possible to make a copy of the RAS/IAS certificate
    template and configure it for deployment to all the kive communication
    servers. I guess what I am really asking is there any problems using
    templates with a standalone CA and how they are deployed to the LCS servers.
    Can they still be autoenrolled or do I have to request them via the
    //server/certsrv web page

    Many Thanks

    Ken
     
    Ken, Oct 28, 2004
    #6
  7. Ken

    Brian Komar Guest

    Standalone CAs do not support certificate templates, nor can you create
    copies of certificate templates. You are correct that you would have to
    request the certs via a manual mechanism, such as the certificate
    services web enrollment page.

    See the Advanced Enrollment white paper for more details on these types
    of scenarios.

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
    ies/security/advcert.mspx

    Brian
     
    Brian Komar, Oct 28, 2004
    #7
  8. Ken

    sgilmour

    Joined:
    Oct 13, 2011
    Messages:
    1
    Likes Received:
    0
    Use 2008 Server NPS Certificate Authority on 2003 Server IAS

    Hi I am having similar issues. I have a 2008 Server R2 64 bit VM with Enterprise Certificate Authority setup. I have setup the RAS and IAS Server Certificate and also setup the Certificate Services Client- Auto enrollment then did the gpupdate /force.
    Now I want to use that same certificate on my 2003 Server VM for IAS for use with EAP-TLS.
    On my 2003 Server I have registered the IAS Server in Active Directory and also done netsh ras add registeredserver SQA.net 2008SERVERR2. Both servers are on the same domain SQA.net. When I do an mmc I am not seeing the RAS and IAS Server Templete. Am I missing something?
    Thanks
    Scott
    :)
     
    sgilmour, Oct 13, 2011
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.