Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Win 2008 CertSrv not working for non-domain members

Active Directory, Domain, DNS, WINS, DHCP, SBS, New Releases.

Win 2008 CertSrv not working for non-domain members

Postby guest » Sat Jun 14, 2008 12:44 pm

CertSrv virtual directory cannot be browsed from an un-trusted domain computer (Windows Vista SP1).


Problem Analyze:
==================================
You are correct. this issue occurs because the Vista client is not trusted
and Kerberos authentication is used for CertSRV virtual directory.

Can we resolve this issue so that untrusted domain computers can visit
certsrv virtual directory:
======
Yes. IE will automatically use the logon account to authenticate. We can
change this behavior as a workaround:

Note: if we enable Anonymous authentication on Certsrv virtual directory,
the user is able to visit Certsrv virtual directory. However, he cannot
request certificate because untrusted domain users do not have permission
to enroll certificate. Thus, we can only change IE behavior so that you can
use another domain credential to enroll certificate.

1. Open IE, click Tools -> Internet options
2. navigate to Security tab, highlight Internet and click Custom level
button.
3. Under User authentication, select "Prompt for user name and password".
4. click ok and try to visit http://windows2008/certsrv again.


Reason why this occurs:
======
I have build up a new LAB for this issue. based on my test, "Windows
Authentication" (Kerberos) is used for CertSRV virtual directory. That is
why the Vista client can browse to IIS7 start page (default web site uses
anonymous authentication), while not Certsrv virtual directory.


My suggestion:
======
To resolve this problem, I suggest you establish domain trust for two
domains to resolve this problem. Allowing untrusted domain clients to
request certificate via web enrollment is a security risk. And it is NOT
recommended.

For more information about web enrollment in Windows 2008, please refer to
these two links:

How to use Certificate Services Web enrollment pages together with Windows
Vista or Windows Server 2008
http://support.microsoft.com/kb/922706

AD CS: Web Enrollment
http://technet2.microsoft.com/windowsse ... 8-abeb-493
e-a9f1-19bba1537ba51033.mspx?mfr=true
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 10191
Joined: Mon Nov 27, 2006 1:10 pm

Return to Windows

Your Ad Here

Who is online

Users browsing this forum: No registered users and 12 guests