Hi alli'mtesting ILM 2 RC0 in combination with IAG.I create a trunk, publish my CLM portal, succesfully request user certificate, but when i'm back to portal to install approved (by admin) certificate i have following error on XP SP3:Please note the following information and contact your system administrator: Error executing child request for ../../sm/requests/SubscriberEnrollExecute.aspx. Technical Details Type: System.Web.HttpException Source: System.Web Stack Trace: at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) at System.Web.HttpServerUtility.Execute(String path, TextWriter writer, Boolean preserveForm) at System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm) at System.Web.HttpServerUtility.Transfer(String path) at Microsoft.Clm.Web.InitializeXEnroll.hidButton_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) To continue press the browser's BACK button. If this error persists, please contact your system administrator. Windows 7 work more correctly, ActiveX (for installcertificate) starts and hangs with following error:Cannot initialize the ActiveX control for generating certificate requests. Please check IE security settings. Exeption Details:Client enrollment object componenet is not in the ready stateP.S. Site was added to trusted zone. for this zone security level was set to Low. Try to publish throug Citrix Access Gateway - have the same errors, so i think problem is in ILMAny ideas?MCSE: M+S, SMS/SCCM, CCNA

You must specifically configure to allow scripting of ActiveX objects marked as Unsafe to allow the certificate enrollment control to fire in your Security Zone settings. Just setting to low is not enoughBrian

have u tried using https?

Hi Brian, Anthony Yes,sorry thati'm do not provide this, after setting zone level to low, i'm go to setting and manuall allow unsafe ActiveX objects. Switching betweenhttp and https have noeffectMCSE: M+S, SMS/SCCM, CCNA

Hi Sergey,You will need to have done the following items:A) The CLM website URL has been added to the Trusted Sites list in IE (Tools - Internet Options - Security - Trusted Sites - Sites) [This seems to be the case]B) As Brian mentioned, you need to explicitely set the "Initialize and script ActiveX controls not marked as safe for scripting" setting to Enable for Trusted Sites (Tools - Internet Options - Security - Trusted Sites - Custom Level...). Resetting the zone level to Low willNOT do this.Also, have you installed the CLM client on the client machine?Cheers,MarcMarc Mac Donell, ILM MVP, Senior Consultant (Identity Assurance), Avaleris Inc.

Hi Mark! Txt for reply, but i'm try to enable everything for trusted sites zone, with no success.CLM client is needed only when using smard card as i'm undestand,but it's not mycaseMCSE: M+S, SMS/SCCM, CCNA

i just tried on my 2k8 Enterprise + IE8 + HTTPS self-service software enroll (no client needed) Trusted Sites --> Default Medium security level (Init unsafe ActiveX is marked as Disabled) CertEnroll is not blocked, except IE will have two annoying popup because the action is not initiate by users See screenshot: http://img22.imageshack.us/img22/1665/screenshotncd.png with HTTP, the ActiveX is blocked by IE

Hi Anthony! I'm tryed to reinstall server + CA + CLM 2 RC0 (all on one server). And open all traffic to domain controllers on Cisco router and switches, and i can request certificate through IAG publishing portal for XP SP3, Win7 does not work again, have same error. But it's not problem, many of users have XP ar Vista. Besides requesting certificates from internal network works good (ifproblem with Win7 clients still occurs after finel release of ILM 2, i'm will use VPN connection to request certificates, rather then publishing ILM on the IAG)Txt to all,for repliesMCSE: M+S, SMS/SCCM, CCNA

I originally posted this issue back in August 2009 http://forums.forefrontsecurity.org/default.aspx?g=posts&m=1324 I was hoping it might be resolved by now. I have not found any combination of IE settings that will allow this to work. At the same time, I don't see evidence of anything being blocked at the IAG level.