Hi, I have migrated 2-tier PKI from Windows Server 2003 x86 to Windows Server 2008 R2 environment. The migration went fine without big problems, some minor issues only. Both CA's are online.... When migration from W2003 -> W2008R2 was made the ADDS schema was not upgraded. Because of that I didn't installed Web Enrollment services. Schema was upgraded about 2 weeks ago (migration was made on Feb 2011) and after that Web Enrollment service was installed. Everyting has been working normally until I installed the Web Enrollment service. At the moment situation is that Root CA which has 2 AIA locations and 2 HTTP location are able to download crl and crt files but only via IE or Windows Explorer. Enterprise PKI shows error message "unable to download". SubCA has problems with HTTP locations also. When I copy link and open with IE crl & crt files open correctly. Enterprise PKI shows same error than in Root CA. I haven't done any changes to Root CA. Only changes what has been made (exept security fixes) has been Web enrollment service installation to SubCA regarding AD Certificate Services. And I checked today morning that AllowDoubleEscaping is TRUE. Here are the locations listed: RootCA AIA Location #1 Unable To Download http://xxxxx01/CertEnroll/xxxxx01_Company%20Root%20CA.crt AIA Location #2 Unable To Download file://\\xxxxx01\CertEnroll\xxxxxx01_Company Root CA.crt CDP Location #1 Unable To Download http://xxxxx01/CertEnroll/Company%20Root%20CA.crl CDP Location #2 Unable To Download file://\\xxxxx01\CertEnroll\Company Root CA.crl SUBCA AIA Location #1 OK ldap:///CN=Company%20Issuing%20SubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=com?cACertificate?base?objectClass=certificationAuthority AIA Location #2 Unable To Download http://xxxxx02.Company.com/CertEnroll/xxxxx02.Company.com_Company%20Issuing%20SubCA.crt CDP Location #1 Expiring ldap:///CN=Company%20Issuing%20SubCA,CN=xxxxx02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint DeltaCRL Location #1 OK ldap:///CN=Company%20Issuing%20SubCA,CN=xxxxx02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint DeltaCRL Location #2 Unable To Download http://xxxxx02.Company.com/CertEnroll/Company%20Issuing%20SubCA+.crl CDP Location #2 Unable To Download http://xxxxx02.Company.com/CertEnroll/Company%20Issuing%20SubCA.crl Doesn anyone have solution for this error? I would appreciate any help for this

The only ones failing are HTTP URLs, and since it is base CRLs as well as delta CRLs, it probably is not the double-escaping issue (as you guessed). 1) Try each URL from Internet Explorer on different clients (not just the CA) 2) Are you using a proxy server? The machine must be set up to use the proxy server to access the HTTP URLs 3) The root CA is using a NetBIOS name for the HTTP and FILE Urls. Are you manually publishing the root CA certificate and CRL to an online Web server? This should be referenced by a DNS name, not a NetBIOS name 4) The FILE URLs in the root CA are not supported, and should be removed Brian

Thank you for the quick answer Brian! I have a identical test environment comparing production environment. I made a change to IIS authentication method and in test environment everything is green now:) What I did I changed Certenroll virtual folder authentication method from Windows Integrated to Anonymous. Default web site and CertSrv are still by default setting (Windows Integrated). Today morning I did same changes to production environment authentication methods but I still have the same error. Quite confusing.... Answers to your questions: 1) all the URLs are working from another client, I just tested 2) Proxy is not in use at this environment 3) Root CA certificate and CRL are manually published to SubCA. Actually from tomorrow with a scheduled script 4) I will remove FILE URL's from root CA For me it's quite confusing that production environment was working correctly before Web enrollment service was installed. Does the installation change IIS authentication methods? And same environment has been restored to virtual test environment, migrated and settings are same than in production. First thing what I'm going to do tomorrow ís a reboot and then we will see what is the situation with IIS authentication. Any more ideas?

I tested pkiview from member server which is W2003 OS and it was working properly. Then I restarted the RootCA and SubCa and after restart Enterprise PKI view was able to download information from CDP & AIA locations. Summary: IIS authentication changes, IISRESET & reboot solved the problem. Thanks for your help! -Sami

Can you clarify what you mean by "IIS authentication changes" please?CarolChi

The default IIS authentication settings after installation are "Windows Integrated Authentication". I changed authentication method from Certenroll virtual folder from "Windows Intergrated" to "Anonymous". Authentication method change and reboot helped with in my case. -Sami

i am new to pki. how do you remove the file urls for the root ca (offline) as suggested above?

The file URL's is included on issued certificates (CRL point). In this scenario it's found from SubCA certificate. You can remove file URL from RootCA console (Extensions - CRL & AIA locations). When you have removed the file URL it doesn't affect anymore to new certificates which RootCA will be issued. When SubCA certificate is renewed the file URL is not included anymore (on CRL point). -Sami