Click here to get back home

Problem when requesting a certificate to IIS server (certificate web enrollment)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Problem when requesting a certificate to IIS server (certificate web enrollment) alizeta.simpore 10-04-2005
Posted by alizeta.simpore on October 4, 2005, 9:50 am
Please log in for more thread options
 Hello,

i want to implement a Windows 2003 PKI, but i have some problems.
when i request a certificate to my enterprise issuing CA, through IIS
server interface, I get the following message:

"Error
Your request failed. An error occurred while the server was processing
your request.
Contact your administrator for further assistance

Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
COM Error Info:
CCertRequest::Submit No mapping between account names and security IDs
was done. 0x80070534 (WIN32: 1332)
LastStatus:
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
Suggested Cause:
No suggestions. "

Thanks for informations.



Posted by Steven L Umbach on October 4, 2005, 7:11 pm
Please log in for more thread options
 If you have installed Service Pack 1 and the CA is installed on a domain
controller see the link below to changes in SP1 for Certificate Services to
see if that applies to your configuration.

http://support.microsoft.com/default.aspx/kb/889101

Look in the security/application/system logs of the CA server and the client
computer to see if anything is recorded there that may give you a clue.
Though the error message does not seem to indicate that this is the problem
make sure the user/computer has read/enroll permissions to the certificate
template. Run the support tool netdiag on the CA server to make sure that
there are no problems with dns, dc discovery, kerberos, secure channel and
read the link below on AD dns to make sure you have dns configured correctly
for the domain. If you are using an IIS server other than your CA server for
Web Enrollment the computer account for the IIS server needs to be trusted
for delegation for kerberos in Active Directory Users and Computers. Try
requesting the certificate via the mmc snapin for certificate for
user/computer as the case may be to see if that works. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
DNS FAQ.
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx#EAF

> Hello,
>
> i want to implement a Windows 2003 PKI, but i have some problems.
> when i request a certificate to my enterprise issuing CA, through IIS
> server interface, I get the following message:
>
> "Error
> Your request failed. An error occurred while the server was processing
> your request.
> Contact your administrator for further assistance
>
> Request Mode:
> newreq - New Request
> Disposition:
> (never set)
> Disposition message:
> (none)
> Result:
> No mapping between account names and security IDs was done. 0x80070534
> (WIN32: 1332)
> COM Error Info:
> CCertRequest::Submit No mapping between account names and security IDs
> was done. 0x80070534 (WIN32: 1332)
> LastStatus:
> No mapping between account names and security IDs was done. 0x80070534
> (WIN32: 1332)
> Suggested Cause:
> No suggestions. "
>
> Thanks for informations.
>




Posted by alizeta.simpore on October 5, 2005, 4:59 am
Please log in for more thread options
Thanks for replying!

I did what you suggested, but i didn't solve the problem.

I run the support tool NetDial and everything seems to be OK.
The content of netdial.log is :
"
Computer Name: SDSIV-NA-PKI002
DNS Host Name: sdsiv-na-pki002.sdsiv-na-pki.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 8, GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823559
KB823980
KB824105
KB824141
KB824145
KB824146
KB825119
KB828035
KB828741
KB828750
KB833987
KB835732
KB839645
KB840315
Q147222
Q819639
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : sdsiv-na-pki002.sdsiv-na-pki.local
IP Address . . . . . . . . : 10.27.223.74
Subnet Mask. . . . . . . . : 255.255.252.0
Default Gateway. . . . . . : 10.27.223.254
Primary WINS Server. . . . : 10.27.204.5
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 10.27.223.76


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed


WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'SDSIV-NA-PKI' is to
'\SDSIV-NA-PKI04.sdsiv-na-pki.local'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed
information


The command completed successfully"


Any idea's or suggestions?

Thanks.



Posted by Steven L Umbach on October 5, 2005, 10:01 am
Please log in for more thread options
Your netdiag results look good though I see you have netbios over tcp/ip
disabled on the CA. I would not think that is related but you may want to
enable it, even if just temporarily, to see if that makes a difference as I
have seen stranger things. A search of Google for you problem suggested
trying the below from user Madcow at MSExchange.org. Also verify that the
computer account for the CA is enabled for delegation in it's properties in
Active Directory Users and Computers. If problems still persist at least
try requesting a certificate via the mmc snapin for certificates on the
client computer to see if that works or not from the folder for
personal/certificates where you right click and select all tasks - request
new certificate to try and determine if the problem is with Web Enrollment
or access to the CA in general. --- Steve

http://forums.msexchange.org/m_170169400/tm.htm

"In your IIS click default website -> home directory -> configuration ->
options TAB -> and make sure the ENABLE SESSION STATE is selected.

If not select this option and restart the IIS and then try to create a
certificate again."



> Thanks for replying!
>
> I did what you suggested, but i didn't solve the problem.
>
> I run the support tool NetDial and everything seems to be OK.
> The content of netdial.log is :
> "
> Computer Name: SDSIV-NA-PKI002
> DNS Host Name: sdsiv-na-pki002.sdsiv-na-pki.local
> System info : Windows 2000 Server (Build 3790)
> Processor : x86 Family 15 Model 2 Stepping 8, GenuineIntel
> List of installed hotfixes :
> KB819696
> KB823182
> KB823559
> KB823980
> KB824105
> KB824141
> KB824145
> KB824146
> KB825119
> KB828035
> KB828741
> KB828750
> KB833987
> KB835732
> KB839645
> KB840315
> Q147222
> Q819639
> Q828026
>
>
> Netcard queries test . . . . . . . : Passed
>
>
>
> Per interface results:
>
> Adapter : Local Area Connection
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : sdsiv-na-pki002.sdsiv-na-pki.local
> IP Address . . . . . . . . : 10.27.223.74
> Subnet Mask. . . . . . . . : 255.255.252.0
> Default Gateway. . . . . . : 10.27.223.254
> Primary WINS Server. . . . : 10.27.204.5
> NetBIOS over Tcpip . . . . : Disabled
> Dns Servers. . . . . . . . : 10.27.223.76
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
>
> WINS service test. . . . . : Skipped
> NetBT is disable on this interface. [Test skipped].
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Skipped
> There are no interfaces that have NetBT enabled. [Test skipped]
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Skipped
> There are no interfaces that have NetBT enabled. [Test skipped]
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Passed
>
>
> Redir and Browser test . . . . . . : Skipped
> There are no interfaces that have NetBT enabled. [Test skipped]
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Passed
>
>
> Trust relationship test. . . . . . : Passed
> Secure channel for domain 'SDSIV-NA-PKI' is to
> '\SDSIV-NA-PKI04.sdsiv-na-pki.local'.
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
> IP Security test . . . . . . . . . : Skipped
>
> Note: run "netsh ipsec dynamic show /?" for more detailed
> information
>
>
> The command completed successfully"
>
>
> Any idea's or suggestions?
>
> Thanks.
>




Posted by Kristoffer Nørkjær Randløv jep on October 14, 2005, 3:11 pm
Please log in for more thread options
Im having the same problem.
I have instaled the webenrollment pages on a webserver in my DMZ.

When i request certificates i get the same error.

I have set the trust computer for delegation in ADUC.




> If you have installed Service Pack 1 and the CA is installed on a domain
> controller see the link below to changes in SP1 for Certificate Services
> to see if that applies to your configuration.
>
> http://support.microsoft.com/default.aspx/kb/889101
>
> Look in the security/application/system logs of the CA server and the
> client computer to see if anything is recorded there that may give you a
> clue. Though the error message does not seem to indicate that this is the
> problem make sure the user/computer has read/enroll permissions to the
> certificate template. Run the support tool netdiag on the CA server to
> make sure that there are no problems with dns, dc discovery, kerberos,
> secure channel and read the link below on AD dns to make sure you have dns
> configured correctly for the domain. If you are using an IIS server other
> than your CA server for Web Enrollment the computer account for the IIS
> server needs to be trusted for delegation for kerberos in Active Directory
> Users and Computers. Try requesting the certificate via the mmc snapin for
> certificate for user/computer as the case may be to see if that
> rks. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
> AD DNS FAQ.
> http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx#EAF
>
>> Hello,
>>
>> i want to implement a Windows 2003 PKI, but i have some problems.
>> when i request a certificate to my enterprise issuing CA, through IIS
>> server interface, I get the following message:
>>
>> "Error
>> Your request failed. An error occurred while the server was processing
>> your request.
>> Contact your administrator for further assistance
>>
>> Request Mode:
>> newreq - New Request
>> Disposition:
>> (never set)
>> Disposition message:
>> (none)
>> Result:
>> No mapping between account names and security IDs was done. 0x80070534
>> (WIN32: 1332)
>> COM Error Info:
>> CCertRequest::Submit No mapping between account names and security IDs
>> was done. 0x80070534 (WIN32: 1332)
>> LastStatus:
>> No mapping between account names and security IDs was done. 0x80070534
>> (WIN32: 1332)
>> Suggested Cause:
>> No suggestions. "
>>
>> Thanks for informations.
>>
>
>




Similar ThreadsPosted
Problem when requesting a certificate with IIS (certificate web enrollment) October 4, 2005, 9:45 am
Web Certificate Enrollment problem March 14, 2006, 3:06 am
RPC Server Unavailable When Requesting Computer Certificate September 16, 2005, 12:07 pm
IAS and RAS server certificate enrollment May 16, 2008, 2:13 pm
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Automatic certificate enrollment for local system failed after upgrading member server to domain controller August 25, 2005, 6:11 pm
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
Unable to download ActiveX Control when requesting a Certificate January 31, 2007, 12:20 pm
Re-enrollment of Certificate on Win 2000 June 27, 2005, 3:26 pm
Automatic Certificate Enrollment Problems April 5, 2006, 11:45 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap