Cannot logon to certsrv web enrollment page using an alternate dns name.
I built a CA (for testing purposes) named "srv01.contoso.com". Now I want to access the web enrollment page by the name: "ca.contoso.com". I configured the "ca"-A-Record in the DNS services, I got a valid SSL-certificate. But if I want to logon, the access is denied. If I switch to the pristine name of the server (sv01.contoso.com), everything works fine. Thorsten
July 7th, 2011 12:14pm

You need to register the ca.contoso.com as a valid SPN for your server. This can be done using the Setspn.exe tool: Setspn.exe -A HOST/ca sv01 Setspn.exe -A HOST/ca.contoso.com sv01 iisreset the above commands adds both ca and ca.contoso.com as valid SPN to ther server sv01 and then restarts the IIS web service to make sure the new settings are active /Hasain
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 2:03pm

Have you checked the host headers in the IIS site match the A record or C anme you created in the DNS? Miguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site
July 7th, 2011 2:11pm

Great! That's what I was looking for. I did not recognize the need for a SPN. May I ask one last additional question: am I wrong or did these things change in WS 2008 (R2). I can't remember, that I had to set the SPN in previous releases. Did they change it due to the rewritten web enrollment code (in WS 2008)? Thanks again for the fine answer, Thorsten
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2011 2:44am

It is IIS 7 that changed! /Hasain
July 8th, 2011 2:55am

On Thu, 7 Jul 2011 17:57:57 +0000, Hasain Alshakarti - TrueSec wrote: Setspn.exe -A HOST/ca sv01 Setspn.exe -A HOST/ca.contoso.com sv01 As an aside, when adding a new SPN it is much safer to use the new -S switch for setspn.exe rather than the -A switch. They will both add the required SPN, however, -S will first check the directory to ensure that there are no duplicate SPNs before performing the add operation. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca The program is absolutely right; therefore, the computer must be wrong.
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2011 6:08am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics