question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 answered

Problem with CA Web Enrolment in Windows Server 2022

Hello,

Every time I deploy Exchange Server I need to create and install a web server certificate on the mail server: for this the copy of the built-in Web Server certificate template is made and - after minor modifications - the Exchange Server's certificate must be created based on that modified certificate template. I've never had any issues when doing it. Now when I deployed the WinServer 2022 DC for the first time and installed the CA and the Web Enrollment on it I got this:

1) if I try to request the Exchnage Server's certificate (on the https://dc.domain.com/certsrv) from the DC - I see only the two certificate templates:
164299-ca2.png

2) when I connect to the same page from the exchange server I see more certificate templates...
164354-ca3.png


...including the buil-it Web Server certificate template - but still does NOT see the Contoso Web Server certificate which is the copy od the built-in Web Server certificate!

...don't have any ideas what can be wrong here... :(


windows-server-security
ca2.png (38.5 KiB)
ca3.png (94.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamWu-MSFT avatar image SamWu-MSFT ·

@MikhailFirsov-1277 It is difficult to reproduce your problem based on this message, I suggest you open a case via: https://support.microsoft.com, one of our engineers will help try to find the root cause.

0 Votes 0 ·
MartinRublik-0301 avatar image MartinRublik-0301 ·

Hi,

what is the version of the Contonso Web Server template? Only v1 and v2 templates are allowed in Web Enrollment Pages see https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment for more information

Martin

0 Votes 0 ·

8 Answers

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

Hi SamWu,

"It is difficult to reproduce your problem based on this message*emphasized text*" - why? If there's a Windows Server
2022 DC+CA at hand it's a matter of minutes to reach for the https://dc.../certsrv and at least to see whether the Web Server template is available or not -any domain admin must see this template...

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

P.S. Can anyone tell me what defines whether the certificate template is available for selection on the wewb enrollment page or not?
I know only one parameter - the Security settings (Read+Enroll). Is there any else?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

Hi SamWu-MSFT,

"what is the version of the Contonso Web Server template? Only v1 and v2 templates are allowed in Web Enrollment Pages" - v4 (this time I've selected Windows Server 2016 on the template's properties page).

After re-issuing the template as v2 it did not appear in the template's list until I've granted Authentication Users the Read and the Enroll permissions, which I've never done before! So you were right - v4 don't work at all ALTHOUGH THE ARTICLE YOU MENTIONED ABOVE APPLIES ONLY TO Windows Server 2008/2012!!!

There's, however, one question left: why do the different templates show up differently on the Web Enrollment page?
165746-q3.png

In other words: why does the Web Server template not require the Authentication Users\Enroll permission while the copy (v2) of this template - Contoso Web Server does require? I'm requesting those certificates as domain\enterprise admin so theoretically I should NOT need the extra permission for the Authenticated Users group (and I've never done it before)?




q3.png (49.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MartinRublik-0301 avatar image
0 Votes"
MartinRublik-0301 answered

You really should NOT grant authenticated users enroll right, this would mean that anyone can issue a certificate. Perhaps try to add Enroll right directly to your account, or specific group, try to avoid using groups that need elevated application rights (UAC).

Martin

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

"You really should NOT grant authenticated users enroll right, this would mean that anyone can issue a certificate." - I know but in WinServer 2022 it was the only method to issue a certificate - maybe it's a bug, I'm opening a case with MS right now.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered MikhailFirsov-1277 edited

...just not to post a new question: would anybody please tell me should there be any difference between IE and Edge regarding installed certificates?

One of the steps in deploying Exchange Servers is the installation of the ~company-specific certificate on Exhange conputers. After creating and installing such certificate it works perfect in IE (as in previous version of Windows Server) but throws the error in the default Windows Server 2022's browser - in the Edge:
166298-q11.png

166314-q12.png

As far as I get it the Edge doesn't look up in the Windows certificate store but it's rather strange for the default browser...


q11.png (31.6 KiB)
q12.png (34.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered

It was the version that was limiting web enrollment.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

"It was the version that was limiting web enrollment." - what does mean "the vesrion" - any Windows Server 2022 Standard or just some specific release?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.