Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows 2003 CA and Windows 2000 Clients?

Status
Not open for further replies.

ADB100

Technical User
Mar 25, 2003
2,399
GB
I have a Windows 2003 CA in an AD Domain. The GPO is configured so that machines automatically request a Machine Certificate. There are Windows 2003 & Windows 2000 Member servers (as well as XP clients). The 2003 Servers automatically download the Certificate but the 2000 Servers don't. I have tried manually requesting a certificate via the Certificates plug-in to MMC but I get an error saying 'The Cerificate request in incorrect. Unspecified error'. Are there any settings that need to be altered on the 2003 CA so 2000 Servers can request certificates?

Andy
 
How are you doing the cert request? Autoenrollment or automatic certificate request? Only XP and 2003 machines support autoenrollment.
 
I have tried all I think. Windows 2000 does support Auto-enrollment for Machine Certificates as I had this working previously with a Windows 2000 CA.

I have setup the GPO for machine auto enrollment but this isn't applying to the Windows 2000 Server (I get an error message logged but don't have access to the server at the moment and I can't remember it...). I have also tried via the MMC snap-in to request a new certificate but get the 'The certificate request is incorrect. Unspecified error'.

Andy
 
Windows 2000 does support Auto-enrollment for Machine Certificates as I had this working previously with a Windows 2000 CA

That is not autoenrollment. That is Automatic Certificate Request: Two very different things. Autoenrollment requires 2003/XP clients and a 2003 Enterprise (not standard) CA.

Let me know what the GPO application error on the server is.
 
The specific event on the Windows 2000 Server is:

Source: WinLogon
Event ID: 1010

Automatic enrollment against the certification authority proliant-ml330 for a certificate of type Machine has failed. (0x80004005) Unspecified error
. Another certification authority will be tried.


I have configured the GPO with an Automatic Certificate Request Setting for a 'Computer' certificate. This was exactly the same procedure I configured with When I had a Windows 2000 CA. I noticed if I used an XP or 2003 client to edit the GPO there was no option to select a CA. With Windows 2000 editing the GPO I get the option to select a CA. I have tried both and the error message is the same.

Thanks

Andy
 
Can you check to see if the 2000 machine has a HKLM\Software\Microsoft\Rpc\ClientProtocols registry key? And if so, let me know what values are in that key.

On your CA, do you see anything in the pending request or failed request folders? What OS is the CA, and what type of CA is it (enterprise root, enterprise subordinate, standalone root, standalone subordinate, etc)?
 
The CA is a Windows 2003 Member Server (Enterprise Server Edition) of a 2003 AD Domain (all DC's are 2003). It is configured as an Enterprise Root CA. There are no failed or pending certificate requests. In the issued certificates there are several entried for the Windows 2003 Servers and XP machines (hostname plus $ - i.e. SERVER-1$). All these machines have a machine certificate installed.

The registry key you mentioned is not there, although the parent of it is (HKLM\Software\Microsoft\Rpc).

Andy
 
I think thats the problem. Every machine in the domain (XP, 2000, 2003) should have the ClientProtocols key and subsequent values in it.

Right click on Rpc and do a new key. Call it ClientProtocols. Inside the new key, create five string values:

Name: ncacn_http
Type: REG_SZ
Data: rpcrt4.dll

Name: ncacn_ip_tcp
Type: REG_SZ
Data: rpcrt4.dll

Name: ncacn_nb_tcp
Type: REG_SZ
Data: rpcrt4.dll

Name: ncacn_np
Type: REG_SZ
Data: rpcrt4.dll

Name: ncadg_ip_udp
Type: REG_SZ
Data: rpcrt4.dll

Was it missing on the machine trying to get a cert or the CA? On 2003 boxes, the values should be the same, just don't include the ncacn_nb_tcp value.
 
It was missing from the Windows 2000 Server (client) - the 2003 CA already had these registry entries (except the ncacn_nb_tcp one - is this NetBIOS?).

I have just reloaded the Server and it has now got a Machine Certificate, plus I can see on the CA that the Certificate has been issued. Any reason why this happened? The Server had previously got a Machine Certificate from a Windows 2000 CA without problems?

Thanks

Andy
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top