|
Posted by Ben on September 16, 2005, 12:07 pm
Please log in for more thread options
Hi,
I'm trying to set up a machine for use with our VPN. We will be using L2TP &
smartcards, so I need to request a computer certificate. Up till now I've
been able to configure most computer when people are in the office,
connected to the domain, using automatic certificate deployment via group
policy. However we have 1 user who is not going to be in the office, but
needs VPN access.
So I've changed the VPN access to allow PPTP temporarily, and asked him to
connect, then I've used remote assistance to terminal service into his
machine. From there I've managed to use the web based enrollment to download
the CA certificate, and tried to use the certificates MMC snap in to request
a computer certificate. However I get the initial screen up, asking which
certificate I'd like, common name etc, but when I press finish, the system
hangs for about 10 seconds, then errors with "RPC Server is unavailable".
At first I thought this might be a firewall issue, as he was running windows
firewall, as well as Symantec firewall. So I disabled both, and also the
firewall on his 3com router. However after trying again, with a number of
reboots, it still errors. I can ping the CA, the domain, and other
computers.
Does anyone have any ideas as to how I can successfully request a computer
certificate? Is there another way of doing it? I notice there is no computer
certificate option in the web enrollment form, even though the template has
been added to the CA.
We're using ISA 2004 as the VPN server, and it's allowing all protocols
through from VPN > internal, and Internal > VPN. The DC is windows 2003
server, and the client machine is Windows XP pro SP2.
Many thanks
Ben
|
|
Posted by Ozone on September 20, 2005, 11:21 am
Please log in for more thread options
The one thing that I would do it to start Netmon on both ends and run them
while making the request for the cert. you should see one of them come back
with a Port access issue. With this info, you will know what you need to do
on the firewall for RPC to work and allow for the cert request to work
properly...
"Ben" wrote:
> Hi,
>
> I'm trying to set up a machine for use with our VPN. We will be using L2TP &
> smartcards, so I need to request a computer certificate. Up till now I've
> been able to configure most computer when people are in the office,
> connected to the domain, using automatic certificate deployment via group
> policy. However we have 1 user who is not going to be in the office, but
> needs VPN access.
>
> So I've changed the VPN access to allow PPTP temporarily, and asked him to
> connect, then I've used remote assistance to terminal service into his
> machine. From there I've managed to use the web based enrollment to download
> the CA certificate, and tried to use the certificates MMC snap in to request
> a computer certificate. However I get the initial screen up, asking which
> certificate I'd like, common name etc, but when I press finish, the system
> hangs for about 10 seconds, then errors with "RPC Server is unavailable".
>
> At first I thought this might be a firewall issue, as he was running windows
> firewall, as well as Symantec firewall. So I disabled both, and also the
> firewall on his 3com router. However after trying again, with a number of
> reboots, it still errors. I can ping the CA, the domain, and other
> computers.
>
> Does anyone have any ideas as to how I can successfully request a computer
> certificate? Is there another way of doing it? I notice there is no computer
> certificate option in the web enrollment form, even though the template has
> been added to the CA.
>
> We're using ISA 2004 as the VPN server, and it's allowing all protocols
> through from VPN > internal, and Internal > VPN. The DC is windows 2003
> server, and the client machine is Windows XP pro SP2.
>
> Many thanks
>
> Ben
>
>
>
|
|
Posted by Ben on September 21, 2005, 9:53 am
Please log in for more thread options Hi Ozone,
Thanks for the reply, I will give the end user a call and give this a try
over emote assistance! Thanks for the advice!
Ben
> The one thing that I would do it to start Netmon on both ends and run them
> while making the request for the cert. you should see one of them come
> back
> with a Port access issue. With this info, you will know what you need to
> do
> on the firewall for RPC to work and allow for the cert request to work
> properly...
>
> "Ben" wrote:
>
>> Hi,
>>
>> I'm trying to set up a machine for use with our VPN. We will be using
>> L2TP &
>> smartcards, so I need to request a computer certificate. Up till now I've
>> been able to configure most computer when people are in the office,
>> connected to the domain, using automatic certificate deployment via group
>> policy. However we have 1 user who is not going to be in the office, but
>> needs VPN access.
>>
>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>> to
>> connect, then I've used remote assistance to terminal service into his
>> machine. From there I've managed to use the web based enrollment to
>> download
>> the CA certificate, and tried to use the certificates MMC snap in to
>> request
>> a computer certificate. However I get the initial screen up, asking which
>> certificate I'd like, common name etc, but when I press finish, the
>> system
>> hangs for about 10 seconds, then errors with "RPC Server is unavailable".
>>
>> At first I thought this might be a firewall issue, as he was running
>> windows
>> firewall, as well as Symantec firewall. So I disabled both, and also the
>> firewall on his 3com router. However after trying again, with a number of
>> reboots, it still errors. I can ping the CA, the domain, and other
>> computers.
>>
>> Does anyone have any ideas as to how I can successfully request a
>> computer
>> certificate? Is there another way of doing it? I notice there is no
>> computer
>> certificate option in the web enrollment form, even though the template
>> has
>> been added to the CA.
>>
>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>> server, and the client machine is Windows XP pro SP2.
>>
>> Many thanks
>>
>> Ben
>>
>>
>>
|
|
Posted by Steven L Umbach on September 20, 2005, 4:47 pm
Please log in for more thread options Your best bet would be to enable the "offline ipsec" certificate template
for the CA and have him request that via Web Enrollment. The RPC error is
usually because of a firewall problem or dns problem. If you had to you
could manually request the certificate yourself for that computer and
specify that computer name in the request. Then export the
certificate/private key from your computer [select option to export whole
certificate chain to include CA certificate] to a password protected.pfx
file and send it to the user with instructions how to import it into the
"computer" certificate store. Note that the user would need to be a local
administrator to request and install the certificate. --- Steve
> Hi,
>
> I'm trying to set up a machine for use with our VPN. We will be using L2TP
> & smartcards, so I need to request a computer certificate. Up till now
> I've been able to configure most computer when people are in the office,
> connected to the domain, using automatic certificate deployment via group
> policy. However we have 1 user who is not going to be in the office, but
> needs VPN access.
>
> So I've changed the VPN access to allow PPTP temporarily, and asked him to
> connect, then I've used remote assistance to terminal service into his
> machine. From there I've managed to use the web based enrollment to
> download the CA certificate, and tried to use the certificates MMC snap in
> to request a computer certificate. However I get the initial screen up,
> asking which certificate I'd like, common name etc, but when I press
> finish, the system hangs for about 10 seconds, then errors with "RPC
> Server is unavailable".
>
> At first I thought this might be a firewall issue, as he was running
> windows firewall, as well as Symantec firewall. So I disabled both, and
> also the firewall on his 3com router. However after trying again, with a
> number of reboots, it still errors. I can ping the CA, the domain, and
> other computers.
>
> Does anyone have any ideas as to how I can successfully request a computer
> certificate? Is there another way of doing it? I notice there is no
> computer certificate option in the web enrollment form, even though the
> template has been added to the CA.
>
> We're using ISA 2004 as the VPN server, and it's allowing all protocols
> through from VPN > internal, and Internal > VPN. The DC is windows 2003
> server, and the client machine is Windows XP pro SP2.
>
> Many thanks
>
> Ben
>
|
|
Posted by Ben on September 21, 2005, 9:52 am
Please log in for more thread options Hi Steve,
Thanks for the reply. I had looked into doing this, but I couldn't find any
documentation on how to request a certificate on behalf of another computer
(lots of documentation for doing another user). I've installed the
certificate for "enrollment agent (computer)", but if I do 'request new
certificate' and select computer, I don't get the option to enter the other
computer name, even if I select advanced, I can put it in the friendly name,
but at the end on the details screen, computer name is still that of my
computer. If I try to export this, I don't get the option to export the
private key, it's greyed out. And the only certificate format I can export
to is DER encoded, Base-64 or Cryptographic message syntax, again the option
for PFX is greyed out!
If you know of any documentation that exists, could you point me in the
right direction!
Cheers
Ben
> Your best bet would be to enable the "offline ipsec" certificate template
> for the CA and have him request that via Web Enrollment. The RPC error is
> usually because of a firewall problem or dns problem. If you had to you
> could manually request the certificate yourself for that computer and
> specify that computer name in the request. Then export the
> certificate/private key from your computer [select option to export whole
> certificate chain to include CA certificate] to a password protected.pfx
> file and send it to the user with instructions how to import it into the
> "computer" certificate store. Note that the user would need to be a local
> administrator to request and install the certificate. --- Steve
>
>
>> Hi,
>>
>> I'm trying to set up a machine for use with our VPN. We will be using
>> L2TP & smartcards, so I need to request a computer certificate. Up till
>> now I've been able to configure most computer when people are in the
>> office, connected to the domain, using automatic certificate deployment
>> via group policy. However we have 1 user who is not going to be in the
>> office, but needs VPN access.
>>
>> So I've changed the VPN access to allow PPTP temporarily, and asked him
>> to connect, then I've used remote assistance to terminal service into his
>> machine. From there I've managed to use the web based enrollment to
>> download the CA certificate, and tried to use the certificates MMC snap
>> in to request a computer certificate. However I get the initial screen
>> up, asking which certificate I'd like, common name etc, but when I press
>> finish, the system hangs for about 10 seconds, then errors with "RPC
>> Server is unavailable".
>>
>> At first I thought this might be a firewall issue, as he was running
>> windows firewall, as well as Symantec firewall. So I disabled both, and
>> also the firewall on his 3com router. However after trying again, with a
>> number of reboots, it still errors. I can ping the CA, the domain, and
>> other computers.
>>
>> Does anyone have any ideas as to how I can successfully request a
>> computer certificate? Is there another way of doing it? I notice there is
>> no computer certificate option in the web enrollment form, even though
>> the template has been added to the CA.
>>
>> We're using ISA 2004 as the VPN server, and it's allowing all protocols
>> through from VPN > internal, and Internal > VPN. The DC is windows 2003
>> server, and the client machine is Windows XP pro SP2.
>>
>> Many thanks
>>
>> Ben
>>
>
>
|
| Similar Threads | Posted | | Problem when requesting a certificate to IIS server (certificate web enrollment) | October 4, 2005, 9:50 am |
| Problems requesting computer certificates on an issuing CA | March 21, 2006, 8:03 am |
| creat a domain trust between Windows 2000 server, it show error message:"PRC server is unavailable" | July 3, 2006, 3:59 pm |
| Problem when requesting a certificate with IIS (certificate web enrollment) | October 4, 2005, 9:45 am |
| Windows 2003 enterprise CA issues - RPC server is unavailable. | February 12, 2008, 3:27 am |
| 2003 Domain Controller not requesting certificate | May 31, 2006, 2:53 pm |
| Unable to download ActiveX Control when requesting a Certificate | January 31, 2007, 12:20 pm |
| Cannot request computer certificate. | January 6, 2006, 1:00 pm |
| PKI: Issue Computer Certificate | September 19, 2006, 11:27 am |
| Custom COMPUTER certificate templates | July 21, 2005, 1:57 pm |
|
XML Sitemap