Do Sysadmins Dream Of Electric Sheep?

A collection of random mutterings and mumblings about Windows and other technologies…

Unable to see certificate templates in CertSrv

Posted by Joe Thompson on June 14, 2011

I came across a really frustrating issue yesterday while trying to generate a new certificate through a Microsoft CA running on Windows Server 2008. I’ll describe the symptoms first in case anyone else is experiencing the same issue before outlining the fix.

The first step was to generate a CSR from the server holding the website we needed the certificate for. A bit of confusion about how to do this in IIS 7.0 ensued but was resolved relatively quickly (see other post for more info…) – so far so good.

Next stop was to generate a certificate from the CSR. Usually, I connect to the certificate server via a web browser using the standard MS URL(http://servername/certsrv) but this time I kept being blocked by a login prompt. Using the same login credentials I had logged onto the server with, after three attempts I received a “401 – Unauthorized: Access is denied due to invalid credentials” error.

Great.

So, next I jumped onto the certificate server itself to see where I was being denied access. Log on was fine, so no denied access to the server itself. Open IIS, check the paths to the CertSrv folders, all access and permissions seem to be fine. Open a browser on the certificate server, connect to the same URL, still the same problem???

Ok, so how else can I access this site. Back into IIS and navigate down to the CertSrv virtual directory. Using the Manage Application menu in IIS, I first tried “Browse *:80 (http)” – same result – then “Browse *:443 (https)” – success!!!

Or so I thought…

In fact, as I followed the certificate generation process through (Request a certificate > Submit a request using….) I first received an error:

On clicking ok, I was unable to choose any templates to generate the certificate with:

Ok – so using https isn’t working then. What do I do with this?

After much, much trawling around the internet, and seeing quite a few others with similar problems but none with a solution, I stumbled across one suggestion that the application pool identity needed changing to NetworkService.

The site in question suggested created a new app pool separate from the DefaultAppPool to prevent disrupting any other sites, but as this server is a dedicated certificate authority, I knew that there was little chance of upsetting anything else:

Simply changing the setting seemed to resolve the issue, however to be on the safe side you may want to recycle the app pool or even run an IIS reset to refresh everything.

I hope this is of benefit to someone else because it had me stumped for hours!!

About these ads

9 Responses to “Unable to see certificate templates in CertSrv”

  1. rikkos2 said

    Excellent post, was banging my head about this…
    Thanks! This solved my problem completely.

  2. Nicolas said

    It worked perfectly after making the change. Thanks for the post.
    As a side note, we are still wondering if someone modified the identity for the defaultapppool application pool or was it because of some other changes in our environment that it suddenly stopped working under the ApplicationPoolIdentity identity

    • Hi Nicolas, glad to see this helped you. As this was a pre-existing issue in the domain I’m currently working in, I’m not sure what caused it to occur here either. I’d certainly be interested if you ever found out though…

  3. Rudi Coursen said

    After days and days of mental turmoil, having tried everything else, I somehow stumble upon your post by inadvertently switching some characters after what I thought was gonna be another blind alley…and viola! This fix did it for me and I am *so* grateful that you took the time to post it so that weary wanderers such as myself could find it someday. Onward to certificate generation! Thank you!

  4. Rudi Coursen said

    After days and days of mental turmoil, having tried everything else, I somehow stumble upon your post by inadvertently switching some characters after what I thought was gonna be another blind alley…and viola! This fix did it for me and I am *so* grateful that you took the time to post it so that weary wanderers such as myself could find it someday. Onward to certificate generation! Thank you! (Reposted for notification of updates to post)

  5. Sharky the poop shark said

    You have got to be kidding me… This is it!? After hours of trying to figure out what the hell is wrong with my CA this is the solution. Wow. Thanks you, sir. This helped a lot! :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: