Cannot logon to certsrv web enrollment page using an alternate dns name.
I built a CA (for testing purposes) named "srv01.contoso.com". Now I want to access the web enrollment page by the name: "ca.contoso.com".
I configured the "ca"-A-Record in the DNS services, I got a valid SSL-certificate. But if I want to logon, the access is denied. If I switch to the pristine name of the server (sv01.contoso.com), everything works fine.
Thorsten
July 7th, 2011 12:14pm
You need to register the ca.contoso.com as a valid SPN for your server. This can be done using the Setspn.exe tool:
Setspn.exe -A HOST/ca sv01
Setspn.exe -A HOST/ca.contoso.com sv01
iisreset
the above commands adds both ca and ca.contoso.com as valid SPN to ther server sv01 and then restarts the IIS web service to make sure the new settings are active
/Hasain
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 2:03pm
Have you checked the host headers in the IIS site match the A record or C anme you created in the DNS?
Miguel Fra /
Falcon IT Services
Computer & Network Support, Miami, FL
Visit our Knowledgebase and Support Sharepoint Site
July 7th, 2011 2:11pm
Great! That's what I was looking for. I did not recognize the need for a SPN.
May I ask one last additional question: am I wrong or did these things change in WS 2008 (R2). I can't remember, that I had to set the SPN in previous releases. Did they change it due to the rewritten web enrollment code (in WS 2008)?
Thanks again for the fine answer,
Thorsten
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2011 2:44am
It is IIS 7 that changed!
/Hasain
July 8th, 2011 2:55am
On Thu, 7 Jul 2011 17:57:57 +0000, Hasain Alshakarti - TrueSec wrote:
Setspn.exe -A HOST/ca sv01
Setspn.exe -A HOST/ca.contoso.com sv01
As an aside, when adding a new SPN it is much safer to use the new -S
switch for setspn.exe rather than the -A switch. They will both add the
required SPN, however, -S will first check the directory to ensure that
there are no duplicate SPNs before performing the add operation.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
The program is absolutely right; therefore, the computer must be wrong.
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2011 6:08am