question

nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 asked ·

Microsoft CA - Web enrollment permissions issue.

Windows server 2016 and running Microsoft CA offline root, with a SubCA\Issuing CA on a member server.

This has worked in the past but currently experiencing issues with permissions for users delegated permissions to request certs. This is an engineering \ test environment.

This was previously working but recently attempted to request a certificate and getting errors relating to permissions on certificate templates, as below.

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory"

Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group.

I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.

Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.

Enterprise admins can submit new requests when tested.

PKIView shows everything OK.

Thoughts?

windows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Ok so minor update. Checking through some perms today, noticed that PKIView is throwing a couple of errors today on the .crl and cert for the offline root are both showing as 'Unable to download'. The cert and crl are both present in the CertEnrol folder and manually fetching them works fine. Not sure why thats suddenly happening. Yesterday this was showing 'Ok'.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @nmpuk-7662,

Thank you for posting here.

To better understand our question, please confirm the following information:
1.What certificate template do you use(user certificate template or computer certificate template)?
2.Could you please check if you can enroll one certificate using the same certificate template via MMC method?
3.Can you confirm if you use http://server/certsrv/en-us or http://server/certsrv?
4.Did you receive the error message you mentioned after you type http://server/certsrv/en-us and click Enter immediately? If so, what step did you receive the error message you mentioned? If you can provide the screenshot, it will be better.

I know permissions on certificate template, but what do you mean for the following two descriptions?

"Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group."
&
experiencing issues with permissions for users delegated permissions to request certs.


Tip: the issue "that PKIView is throwing a couple of errors today on the .crl and cert for the offline root are both showing as 'Unable to download'. " may not be related to the Web enrollment permissions issue.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Hi,

Thanks for the reply - please see my responses in line;

1.What certificate template do you use(user certificate template or computer certificate template)?

             A. None of the published certificate templates are appearing, specifically attempting to issue a web server certificate. 

2.Could you please check if you can enroll one certificate using the same certificate template via MMC method?

             A. Will check shortly, and confirm back. 

3.Can you confirm if you use http://server/certsrv/en-us or http://server/certsrv?

             A. I am using https://server/certsrv/en-us. 
                 https://server/certsrv results in an access denied error message. 
                 What's the difference? 

4.Did you receive the error message you mentioned after you type http://server/certsrv/en-us and click Enter immediately? If so, what step did you receive the error message you mentioned? If you can provide the screenshot, it will be better.

            A. No. The error only occurs on the third step after choosing 'Request a Certificate'; selecting 'Create and submit a request to this CA.' we get a prompt below;


74879-error-1.jpg

            A. Clicking Yes on this prompt loads the page and you get the following error:


74880-error2.jpg

            A. Similarly, when choosing 'Request a certificate' then selecting 'Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.', we get the following errors;


74913-error-3.jpg

I know permissions on certificate template, but what do you mean for the following two descriptions?

"Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group."

           A. Permissions have been delegated with reference to a Microsoft article whereby specific global group for certificate management has been granted the following permissions on the Sub CA itself; 

75001-ca-perms.jpg

           A. and the following permissions on the certificate template itself. 

74972-cert-perms.jpg



Will post results of issuing via mmc shortly.

thanks



error-1.jpg (30.4 KiB)
error2.jpg (170.1 KiB)
error-3.jpg (160.2 KiB)
ca-perms.jpg (63.2 KiB)
cert-perms.jpg (71.4 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @nmpuk-7662,

I am sorry for the late reply.

Thank you for your very detailed update.

Q: I am using https://server/certsrv/en-us.
https://server/certsrv results in an access denied error message.
What's the difference?

A: Usually, we use http://servername/certsrv (http://localhost/certsrv ) or https://servername/certsrv (https://localhost/certsrv) (https web page is bind by cert, it is safer) web page to request cert.

Tip: servername is the machine name with Certification Authority Web Enrollment role.

Or we can check on the server with Certification Authority Web Enrollment role (in my case, I installed Certification Authority Web Enrollment role on CA server).

76183-iis3.png

Open IIS and open the browser.
76185-iis1.png

And in my lab, I will open the web page below.
76254-iis2.png


1.Could you please check if you can enroll one certificate using the same certificate template you mentioned via MMC method?

2.For Subject Name tab on Web server cert template.

Select “Supply in the request”

Tip: we must select “Supply in the request” under subject name tab, then we can see this certificate template through web page.




iis3.png (62.2 KiB)
iis1.png (46.0 KiB)
iis2.png (36.0 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Thanks for the reply. Couple points with your suggestions.

I have tested and can request a certificate through mmc, however, the mmc has to be run under the local computer context (requesting web server certificate) and the certificate is shown as issued to 'hostname$'.

If I launch mmc in the user context, the wizard shows no certificate templates available as below;
76364-mm-no-certs-error.jpg

This user is a member of the group granted permissions to read and enrol on the web server certificate.

If I repeat this process in computer context (computer is granted permissions on the web server template), I can select the template and enrol the certificate by manually completing the certificate attributes.

NOTE: I do NOT get an option to 'Supply in the request'. Where are you see expecting to see this? See below

76346-mmc-subject-tab.jpg


Secondly, I checked web enrolment and the virtual directory contents of http://server/certsrv are actually empty except the certdat.inc file and two subfolders, including en-us which contains the web enrollment pages. As such if I try to browse to http://server/certsrv i get an 'access denied'

76355-web-error.jpg

I believe this has always been the case, and removing and reinstalling the 'Certification Authority Web Enrollment' role, doesn't resolve this.

In a nutshell the crux of the issue is that we need to submit csr's created by third party (non windows) devices as base64 encoded. We used to use the web enrolment for this and this used to work. Would be great to get this working, but also to understand if there are other better ways as I understand that the web enrollment is pretty much deprecated.

Thanks



mmc-subject-tab.jpg (95.8 KiB)
web-error.jpg (50.2 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @nmpuk-7662,

Thank you for your update.

If I launch mmc in the user context, the wizard shows no certificate templates available as below;
A: Because it is computer certificate template, only administrator under the local computer context can see it.

NOTE: I do NOT get an option to 'Supply in the request'. Where are you see expecting to see this? See below
A:On the certificate template.
76704-web2.png

I mean if you want to see "Web Server" certificate template through certsrv web page (http://localhost/certsrv or https://localhost/certsrv), you need to select the option 'Supply in the request'.

76721-web.png

But you can see the web server cert template via MMC no matter you select the option 'Supply in the request' or not.


403 error seems like permission issue. Do you have the same 403 issue on any machine?


Here is a similar case for CSR as base64 encoded cert request.

I have replied before.

Unable to sign CSR with Microsoft Windows CA
https://docs.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html


Best Regards,
Daisy Zhou



web2.png (19.9 KiB)
web.png (25.4 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Thanks for the reply. I can confirm that my certificate template is configured for "Supply in the request" as mentioned above.

I understand that computer certs need to be requested by the certlm.msc console, and users through certmgr.msc, and as mentioned above, that is working for me.

However, I am not able to submit a csr request through web enrollment for a web server certificate, as you are able in your own testing. This is the crux of the matter and did used to work before. In your screenshot above, you are being presented the 'web server' certificates for enrolment. Are you running the internet browser in your own user context? How are you getting web enrollment to provide this?

Also, 403 is forbidden to browse directory contents - its not a permissions, its actually that there are no web pages in the \certsrv folder. See below picture of contents of the http://server/certsrv folder:
76880-iss-contents-1.jpg

versus the contents of the folder https://server/certsrv/en-us folder:
76888-iis-contents-2.jpg



iss-contents-1.jpg (109.7 KiB)
iis-contents-2.jpg (171.9 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @nmpuk-7662,

Thank you for your update.

Are you running the internet browser in your own user context? How are you getting web enrollment to provide this?
Yes, it is my lab.

I set up one-tier CA and install 'Certification Authority Web Enrollment' role on CA server.

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx


That is all.



Best Regards,
Daisy Zhou

0 Votes 0 ·
nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Thanks, so its possible to use web enrollment for enrolling computer based certs like the web server cert. This is what isn’t working for me. Can you help?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @nmpuk-7662,

Thank you for your update.

It seems the 'Certification Authority Web Enrollment' role is not configured correctly.

I suggest you can install a AD CS server in your lab and install and configured 'Certification Authority Web Enrollment' role, and if it is OK in your lab, then you can check the issue again.




Best Regards,
Daisy Zhou

0 Votes 0 ·
nmpuk-7662 avatar image
0 Votes"
nmpuk-7662 answered ·

Thanks, but I have already removed and reinstalled the Web enrollment role, as mentioned earlier, and that hasn't resolved the issue.

If I was able to reproduce and resolve the issue myself, I wouldn't have bothered to post on this support forum.

I'm hoping someone with greater knowledge than my own, would be able to assist.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @nmpuk-7662,

Thank you for your update.

You can try to troubleshoot it based on the following link below.

Error when a user requests certificate from CA web enrollment pages: No certificate templates could be found
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/no-certificate-templates-be-found

And here is a case with the same error for your reference.
Web Enrollment - No certificate templates could be found
https://social.technet.microsoft.com/Forums/lync/en-US/eb860d3c-9b63-4ebd-8192-1a000c305a46/web-enrollment-no-certificate-templates-could-be-found?forum=winserverDS

I hope CA expert can provide more help, too.

Thank you for your understanding.



Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.