Well, everything was fine until the dummy between the chair and the keyboard got involved. LOL I have a 2008 R2 CA, in an R2 domain. I went to change my CDP and AIA entries, and that is when the trouble began. I added http entries, one accessible from inside the network, and one accessible outside the network. I also removed the LDAP and File entries, but I have since put them back (I think this is where my trouble began). After I did this I now could not request a Web Server cert using any of the servers in the domain. In fact all computer templates show: "The permissions on the certificate template do not allow the current user to enrol for this type of certificate...." The permissions on these templates have not changed and I was able to request certs right before I did all this. Ugh. I also could not publish any certs to AD. I was getting this error in the event viewr on the PKI box: Active Directory Certificate Services could not publish a Certificate for request 41 to the following location on server LIBERTY.ash.local: ldap:///CN=ash-ANVIL-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ash,DC=local. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 So I put the LDAP entries back, and then had to go and re-add the Cert Publishers group back to the AD Sites and Services | AIA | certificate because it just shows an unknown SID. Now I can publish to AD, adn I have renewed my CA cert several times and that works. fine. But still no templates are showing up for computers to request (like a web server cert for instance). Help! Also, In PKI View, my CDP and AIA checks out ok, but my Delta CRLs show "unable to download". This is because they have a + sign tacked onto them, but I dont know how to get rid of that. Any thoughts? I have rebooted the DC and the PKI box just because and have tested out basic network connectivity and its fine. HELP! Many thanks for your input. Hope this helps, Kristin L. Griffin Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) I finally started my blog: blog.kristinlgriffin.com

To fix the problem with the delta CRLs, the solution is not to remove the + signs but rather you need to fix IIS7. To fix this, run the following command on the web server hosting the CRLs:appcmd set config "Default Web Site/VDIR" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:trueReplace VDIR with the name of the virtual directory you're using.Paul Adare CTO IdentIT Inc. ILM MVP

Paul, I ran that command, replacing "VDIR" with "CertEnroll", and it gave me a possitive response, but the delta CRLs are still showing up as "not downloadable". I have rebooted that server and set delta CRLs to publish every 30 minutes, just for testing. I have also manually told it to publish a delta crl, but no new files are showing up in the CertEnroll folder, and I get the same thing in pkiview. Overnight magic happened and 3 of my computer cert templates are now available...gremlins? time? replication of changes? Can you tell me how to make my changes take affect immediately? like gpupdate /force or something? Why did I have to run that command on iis? What happened to cause the + sign, what does that mean? I don't want to do it again so I want to correct my tinkering! My permissions for those templates allow for the user / computer to enroll for the cert so what are some other causes of these templates not being available (seemingly due to permissions)? So I can correct in the future. Many thanks for your help, Best, Kristin

to add,I computer templates are still not available on all servers. Which is how it used to be, and what I am going for here. For instance, I used to be able to request a web server cert from my DC, and now the only certs availble are:Domain ControllerDomain Controller AuthDirectory Email ReplicationOn other servers, I get 3 other template options:ASH ComputerASH Web ServerComputerWhy does my DC not get these options? Why is it getting the other options?Well, on a good note, I was able to get an SSL successfully. But it was REALLY slow. Took about 4 minutes. Normally this was instantaneuos.Thanks, Kristin

Hi, The IIS issue with the + signal is due to the double scape security setting applied by default in IIS version 7. You can easily change this using the IIS administration pack that contains an editor that will make your life easier. Install it on your server and after this on the main IIS administration panel you can launch it --> go to security and put the double scape security setting to false. The problem with + and delta CRL will gone. your DCs have to have installed the domain controller certificate and it's the only one that you need for them.

Hey Chucky07, Thanks for the response. I am on IIS 7.5 (2008 R2). So I cant install the admin pack as its already incorporated I believe. I thnk I have found this double escape key in the config editor. But from yours and Paul's responses, it seems that one of you says make it True and the other says make it false. Can you tell me what this key does, and which one it should be? I will try both ways in the meantime..... Thanks!, Kristin

ok I tried both trus and false and nothing happens to the delta CRL + sign in PKIVIEW.msc :( Any other ideas? Thanks!

Hi,Sorry Kristin, I was mistaken with the option and Paul is right you have to set it to TRUE:Go into Configuration Editor within IIS7 and select system.Webserver/Security/requestFiltering..... and set allowDoubleEscaping to TRUE for the CDP virtual directory. After applying the change, close the PKIview console before checking if it's working. It worked for me. I'm really sorry for my mistake.

Hi,Can you describe your CDP and AIA settings thoroughly ?Runcertutil -getreg CA\CRLPublicationURLsandcertutil -getreg CA\CACertPublicationURLsin order to get current CDP and AIA settings. You can also check out these settings with MMC (certsrv.msc) in Extensions tab. Are you publishing delta CRLs to web server distribution point (CertEnroll)? If so you should see something like this (as part of certutil -getreg CA\CRLPublicationURLs)CRLPublicationURLs REG_MULTI_SZ = 0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64)Also try to run certutil -crl and check for errors (standard output / event log).RegardsMartin Rublik

Hi Martin,I return:C:\Users\admin>certutil -getreg CA\CRLPublicationURLsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ash-ANVIL-CA\CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 6:http://my.extdomain.net/CertEnroll/%3%8%9.crl CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 1: 12:ldap://CN=%7%8,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOFRESHESTCRL -- 4 CSURL_ADDTOCRLCDP -- 8 2: 6:http://%1/CertEnroll/%3%8%9.crl CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 3: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64) CertUtil: -getreg command completed successfully. C:\Users\admin>certutil -getreg CA\CACertPublicationURLsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ash-ANVIL-CA\CACertPublicationURLs: CACertPublicationURLs REG_MULTI_SZ = 0: 2:http://my.extdomain.net/CertEnroll/%1_%3%4.crt CSURL_ADDTOCERTCDP -- 2 1: 0:c:\system32\CertSrv\CertEnroll\%1_%3%4.crt 2: 0:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 3: 0:file://\\%1\CertEnroll\%1_%3%4.crt CertUtil: -getreg command completed successfully. C:\Users\admin>certutil -crlCertUtil: -CRL command completed successfully.I did find one wrong thing (I had a file://\\ ... entry in the CRLPublication CRLs, but I removed it and replaced it with:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crland I checked to publish crls and deltas crls there.I have run the command paul gave me above and have manually checked that enabledoubleescaping is true at the default site level as well as certenroll vdir.Any more advice? I still get the same plus sign on my delta CRLs.Hope this helps, Kristin L. Griffin Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) I finally started my blog: blog.kristinlgriffin.com

The plus sign is what indicates that it is a delta and not a base CRL, that's the way things should be and it is the plus sign that IIS 7 in its default configuration has trouble dealing with, hence the command line to change the default behaviour.Paul Adare CTO IdentIT Inc. ILM MVP

Paul,What I see is that PKIVIEW.msc still shows one of my Delta CRL paths as wrong. The other two cleared up overnight (so there must be some timiing involved here). Anyway to make changes take effect immediately?These are my settings for CRLs:http://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Public/CRL%20Issue/CRL-CA-Properties.pngHEre is a picture of my Delta CRL path issue in PKIView:http://4xqcma.blu.livefilestore.com/y1pm6xJ44FhAgogF8DesV668tvvvdK559pWx-NHEZnI-78WgSCzHsNWa-qaiEaVO_Bo3LKlC30OFVUn7G9fAsEM9q9aVyUr6Tr6/delta%20issue.pngAnd here is a picture of what is in the Cert Enroll folder:http://4xqcma.blu.livefilestore.com/y1pinikzs4KnHtd5KrtcQYSRH2B7jlwPSMeM_LrdHhNtfjfSk8Tw-OSMeRrxojOAy6wMZ3QLAaTbXZuMYbOSEo6ElkAqm0RLvWf/certenroll%20folder%20contents.pngHow can I get this ldap path corrected? The one I have now I copied from Brian's MS PKI 2003 book.Many thanks!Kristin

Actually, the one you have now is not copied correctly from Brian's book. The one in Brian's book will start with LDAP:/// yours starts with LDAP://. There's a big difference between the two. The former, with the three forward slashes means "grab the delta CRL from any DC in the forest". Yours says, go to a specific DC to grab the delta CRL" but you've not specified which DC.Also, why are you publishing deltas to an LDAP location in the first place if you're not also going to publish base CRLs to an LDAP location?You're either going to have to correct or remove the delta CRL CDP and then reissue the CA certificate.Paul Adare CTO IdentIT Inc. ILM MVP

Paul,Ok, let me restate: The ldap location was SUPPOSED to be the one I was copying form Brian's book - of course I FAT fingered it and did not see the extra forward slash I left out. Der.All is well now as I redid this and re-issued the ca cert.Many thanks for all of your help!KristinHope this helps, Kristin L. Griffin Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) I finally started my blog: blog.kristinlgriffin.com

Glad to help Kristin.Paul Adare CTO IdentIT Inc. ILM MVP