On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
> Hi
>
> I  have a certificate server running on a W2k3 SP2 server. this server is a
> global catalog. All user certificates are processed correctly when accessed
> by main root ad domain but when i tried to ask a user certificate from the
> web interface (certsrv), users from the second domain on my AD forest cannot
> authenticate, i have this in the iis log :
>
> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> DOMAIN2\TEST 172.16.102.130
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> 401 3 0
>
> and in the web page after 3 attemps i have a http 401.3 non authorised
> error.
>
> With the mmc certificate, the CA server is not found at all.
>
> I tried to add manually rights for user of my domain2 on
> c:\windows\system32\certsrv, user certificate template, i went in active
> directory sites & services, show servicesl nodes, and i went in services,
> public keys services, and browse all objetcs and modify the security to
> include the group of my domain2 users. But it still doesn't work...
>
> Can somebody help

On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
> Hi
>
> I  have a certificate server running on a W2k3 SP2 server. this server is
> a
> global catalog. All user certificates are processed correctly when
> accessed
> by main root ad domain but when i tried to ask a user certificate from the
> web interface (certsrv), users from the second domain on my AD forest
> cannot
> authenticate, i have this in the iis log :
>
> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> DOMAIN2\TEST 172.16.102.130
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> 401 3 0
>
> and in the web page after 3 attemps i have a http 401.3 non authorised
> error.
>
> With the mmc certificate, the CA server is not found at all.
>
> I tried to add manually rights for user of my domain2 on
> c:\windows\system32\certsrv, user certificate template, i went in active
> directory sites & services, show servicesl nodes, and i went in services,
> public keys services, and browse all objetcs and modify the security to
> include the group of my domain2 users. But it still doesn't work...
>
> Can somebody help

"Fadoul" <fadhe***@free.fr> wrote in message
news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> thks for your reply David,
>
> domains are in the same ad forest. i triple checked the ntfs acl of the
> certsrv website, and i have added the domain2 group in wich all users of
> domain2 are and i added manually too the domain2\usertest. i did it with
> authorisation in the mmc console of iis admin and checked ntfs rights in
> the c:\windows\system32\certsrv folder. it looks ok.
>
> I modified the acl user template too by adding the same groupe in the
> security panel, same result. I am just wondering if there is a link with
> the fact  i am using a windows 2003 standard and not enterprise, i know
> that CA on standard is limited regarding CA on enterprise 2003 os, maybe
> there are limitations regarding the access to a second domain because of
> that ?
>
> Fadhel
> "David Wang" <w3.4***@gmail.com> a écrit dans le message de news:
> 1192668798.449972.291***@e34g2000pro.googlegroups.com...
> On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
>> Hi
>>
>> I  have a certificate server running on a W2k3 SP2 server. this server is
>> a
>> global catalog. All user certificates are processed correctly when
>> accessed
>> by main root ad domain but when i tried to ask a user certificate from
>> the
>> web interface (certsrv), users from the second domain on my AD forest
>> cannot
>> authenticate, i have this in the iis log :
>>
>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
>> DOMAIN2\TEST 172.16.102.130
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
>> 401 3 0
>>
>> and in the web page after 3 attemps i have a http 401.3 non authorised
>> error.
>>
>> With the mmc certificate, the CA server is not found at all.
>>
>> I tried to add manually rights for user of my domain2 on
>> c:\windows\system32\certsrv, user certificate template, i went in active
>> directory sites & services, show servicesl nodes, and i went in services,
>> public keys services, and browse all objetcs and modify the security to
>> include the group of my domain2 users. But it still doesn't work...
>>
>> Can somebody help
>
>
> It looks like the certsrv website content itself does not have NTFS
> ACLs which give permissions to domain2. Is trust between these two
> domains setup correctly? Are the domains in same or different AD
> Forests?
>
> The website content is not in AD, so I don't think you changed ACLs
> for the right thing.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>

> Enterprise should only be needed if you need to edit Certificate Templates
> (e.g. create your own cert templates)
>
> At what point in the web enrolment process do you get the 401? When the
> user first attempts to access the site? or when the user is attempting to
> enrol/get their certificate?
>
> Cheers
> Ken
>
> "Fadoul" <fadhe***@free.fr> wrote in message
> news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
>> thks for your reply David,
>>
>> domains are in the same ad forest. i triple checked the ntfs acl of the
>> certsrv website, and i have added the domain2 group in wich all users of
>> domain2 are and i added manually too the domain2\usertest. i did it with
>> authorisation in the mmc console of iis admin and checked ntfs rights in
>> the c:\windows\system32\certsrv folder. it looks ok.
>>
>> I modified the acl user template too by adding the same groupe in the
>> security panel, same result. I am just wondering if there is a link with
>> the fact  i am using a windows 2003 standard and not enterprise, i know
>> that CA on standard is limited regarding CA on enterprise 2003 os, maybe
>> there are limitations regarding the access to a second domain because of
>> that ?
>>
>> Fadhel
>> "David Wang" <w3.4***@gmail.com> a écrit dans le message de news:
>> 1192668798.449972.291***@e34g2000pro.googlegroups.com...
>> On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
>>> Hi
>>>
>>> I  have a certificate server running on a W2k3 SP2 server. this server
>>> is a
>>> global catalog. All user certificates are processed correctly when
>>> accessed
>>> by main root ad domain but when i tried to ask a user certificate from
>>> the
>>> web interface (certsrv), users from the second domain on my AD forest
>>> cannot
>>> authenticate, i have this in the iis log :
>>>
>>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
>>> DOMAIN2\TEST 172.16.102.130
>>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
>>> 401 3 0
>>>
>>> and in the web page after 3 attemps i have a http 401.3 non authorised
>>> error.
>>>
>>> With the mmc certificate, the CA server is not found at all.
>>>
>>> I tried to add manually rights for user of my domain2 on
>>> c:\windows\system32\certsrv, user certificate template, i went in active
>>> directory sites & services, show servicesl nodes, and i went in
>>> services,
>>> public keys services, and browse all objetcs and modify the security to
>>> include the group of my domain2 users. But it still doesn't work...
>>>
>>> Can somebody help
>>
>>
>> It looks like the certsrv website content itself does not have NTFS
>> ACLs which give permissions to domain2. Is trust between these two
>> domains setup correctly? Are the domains in same or different AD
>> Forests?
>>
>> The website content is not in AD, so I don't think you changed ACLs
>> for the right thing.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>

On Oct 18, 9:22 am, "Fadoul" <fadhe***@free.fr> wrote:
> i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or
> u***@domain2.com, after 3 attemps i have the error 401.3 non authorised.
> with domain\user no problem to access to auth to  the web certsrv
> application and to get any certificate configured
>
> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> a écrit dans le message denews: %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63jfAD$***@TK2MSFTNGP06.phx.gbl...
>
>
>
> > Enterprise should only be needed if you need to edit Certificate Templates
> > (e.g. create your own cert templates)
>
> > At what point in the web enrolment process do you get the 401? When the
> > user first attempts to access the site? or when the user is attempting to
> > enrol/get their certificate?
>
> > Cheers
> > Ken
>
> > "Fadoul" <fadhe***@free.fr> wrote in message
> >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> >> thks for your reply David,
>
> >> domains are in the same ad forest. i triple checked the ntfs acl of the
> >> certsrv website, and i have added the domain2 group in wich all users of
> >> domain2 are and i added manually too the domain2\usertest. i did it with
> >> authorisation in the mmc console of iis admin and checked ntfs rights in
> >> the c:\windows\system32\certsrv folder. it looks ok.
>
> >> I modified the acl user template too by adding the same groupe in the
> >> security panel, same result. I am just wondering if there is a link with
> >> the fact  i am using a windows 2003 standard and not enterprise, i know
> >> that CA on standard is limited regarding CA on enterprise 2003 os, maybe
> >> there are limitations regarding the access to a second domain because of
> >> that ?
>
> >> Fadhel
> >> "David Wang" <w3.4***@gmail.com> a écrit dans le message de news:
> >> 1192668798.449972.291***@e34g2000pro.googlegroups.com...
> >> On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
> >>> Hi
>
> >>> I  have a certificate server running on a W2k3 SP2 server. this server
> >>> is a
> >>> global catalog. All user certificates are processed correctly when
> >>> accessed
> >>> by main root ad domain but when i tried to ask a user certificate from
> >>> the
> >>> web interface (certsrv), users from the second domain on my AD forest
> >>> cannot
> >>> authenticate, i have this in the iis log :
>
> >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> >>> DOMAIN2\TEST 172.16.102.130
> >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> >>> 401 3 0
>
> >>> and in the web page after 3 attemps i have a http 401.3 non authorised
> >>> error.
>
> >>> With the mmc certificate, the CA server is not found at all.
>
> >>> I tried to add manually rights for user of my domain2 on
> >>> c:\windows\system32\certsrv, user certificate template, i went in active
> >>> directory sites & services, show servicesl nodes, and i went in
> >>> services,
> >>> public keys services, and browse all objetcs and modify the security to
> >>> include the group of my domain2 users. But it still doesn't work...
>
> >>> Can somebody help
>
> >> It looks like the certsrv website content itself does not have NTFS
> >> ACLs which give permissions to domain2. Is trust between these two
> >> domains setup correctly? Are the domains in same or different AD
> >> Forests?
>
> >> The website content is not in AD, so I don't think you changed ACLs
> >> for the right thing.
>
> >> //David
> >>http://w3-4u.blogspot.com
> >>http://blogs.msdn.com/David.Wang
> >> //- Hide quoted text -
>
> - Show quoted text -

On Oct 18, 9:22 am, "Fadoul" <fadhe***@free.fr> wrote:
> i cannot auth on thehttps://gc.domain.com/certsrv with domain2\user or
> u***@domain2.com, after 3 attemps i have the error 401.3 non authorised.
> with domain\user no problem to access to auth to  the web certsrv
> application and to get any certificate configured
>
> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> a écrit dans le message
> denews:
> %23z1pdGaEIHA.4__BEGIN_MASK_n#9g02mG7!__...__END_MASK_i?a63jfAD$***@TK2MSFTNGP06.phx.gbl...
>
>
>
> > Enterprise should only be needed if you need to edit Certificate
> > Templates
> > (e.g. create your own cert templates)
>
> > At what point in the web enrolment process do you get the 401? When the
> > user first attempts to access the site? or when the user is attempting
> > to
> > enrol/get their certificate?
>
> > Cheers
> > Ken
>
> > "Fadoul" <fadhe***@free.fr> wrote in message
> >news:OpXfW1XEIHA.4140@TK2MSFTNGP03.phx.gbl...
> >> thks for your reply David,
>
> >> domains are in the same ad forest. i triple checked the ntfs acl of the
> >> certsrv website, and i have added the domain2 group in wich all users
> >> of
> >> domain2 are and i added manually too the domain2\usertest. i did it
> >> with
> >> authorisation in the mmc console of iis admin and checked ntfs rights
> >> in
> >> the c:\windows\system32\certsrv folder. it looks ok.
>
> >> I modified the acl user template too by adding the same groupe in the
> >> security panel, same result. I am just wondering if there is a link
> >> with
> >> the fact  i am using a windows 2003 standard and not enterprise, i know
> >> that CA on standard is limited regarding CA on enterprise 2003 os,
> >> maybe
> >> there are limitations regarding the access to a second domain because
> >> of
> >> that ?
>
> >> Fadhel
> >> "David Wang" <w3.4***@gmail.com> a écrit dans le message de news:
> >> 1192668798.449972.291***@e34g2000pro.googlegroups.com...
> >> On Oct 17, 7:43 am, "Fadoul" <fadhe***@free.fr> wrote:
> >>> Hi
>
> >>> I  have a certificate server running on a W2k3 SP2 server. this server
> >>> is a
> >>> global catalog. All user certificates are processed correctly when
> >>> accessed
> >>> by main root ad domain but when i tried to ask a user certificate from
> >>> the
> >>> web interface (certsrv), users from the second domain on my AD forest
> >>> cannot
> >>> authenticate, i have this in the iis log :
>
> >>> 2007-10-17 14:14:27 W3SVC1 172.16.1.61 GET /certsrv/Default.asp - 443
> >>> DOMAIN2\TEST 172.16.102.130
> >>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+­­.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30)
> >>> 401 3 0
>
> >>> and in the web page after 3 attemps i have a http 401.3 non authorised
> >>> error.
>
> >>> With the mmc certificate, the CA server is not found at all.
>
> >>> I tried to add manually rights for user of my domain2 on
> >>> c:\windows\system32\certsrv, user certificate template, i went in
> >>> active
> >>> directory sites & services, show servicesl nodes, and i went in
> >>> services,
> >>> public keys services, and browse all objetcs and modify the security
> >>> to
> >>> include the group of my domain2 users. But it still doesn't work...
>
> >>> Can somebody help
>
> >> It looks like the certsrv website content itself does not have NTFS
> >> ACLs which give permissions to domain2. Is trust between these two
> >> domains setup correctly? Are the domains in same or different AD
> >> Forests?
>
> >> The website content is not in AD, so I don't think you changed ACLs
> >> for the right thing.
>
> >> //David
> >>http://w3-4u.blogspot.com
> >>http://blogs.msdn.com/David.Wang
> >> //- Hide quoted text -
>
> - Show quoted text -