Smart Card certificate enrollment station: ActiveX control download permission error.
i have windows 2003 R2 server with enterprise root CA configured. have configured all the steps for smart card Authentication, when requesting a smart card certificate on behalf of other user from web enrollment page, i see below error:
An unexpected fatal error has occurred: The proper version of the ActiveX control failed to download and install. You may not have sufficient permissions. Please ask your system administrator for assistance.
i have logged in as Administrator on the computer(where AD and CA are configured) and from the same computer, i am trying to request the smart card certificate.
i tried all the solutions like(changing the settings on IE, adding CA host to trust sites... etc), but still no luck.
can somebody help how to get this fixed.
thanks in advance..
August 12th, 2010 10:33pm
what OS is running your client? If Windows Vista or higher you must apply the following update:
http://support.microsoft.com/kb/922706
as a result you will be unable to:
1) request computer certificates
2) request certificates using smart card CSP
3) perform enroll on behalf of another user.
instead, you will have to use CertMgr.msc MMC snap-in to enroll on behalf of another user.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2010 8:39am
you mean the client from where i am trying to request certificate from /certsrv ?
if yes, i am trying to get certificate from localhost, where CA and AD are configured and it has 2003 server R2 OS loaded.
August 13th, 2010 11:27am
mentioned update is installed on the server?
Have you tried to add the server to either trusted/local intranet zone?http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2010 12:05pm
Hi,
Thank you for your post here.
As Vadims mentioned, please make sure that you have
added
the Windows Certificate Server computer to the trusted
sites zone in
IE.
ActiveX Error Messages Using Certificate Enrollment Web Pages to Enroll a Smart Card in Internet Explorer
http://support.microsoft.com/kb/330211/en-us
August 13th, 2010 12:51pm
after installing the patch on server, i dont see option for requesting a smart card certificate on behalf of other user in the web enrollment page.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 7:23pm
yes, this is expected. Or you don't agree with that?http://en-us.sysadmins.lv
August 17th, 2010 7:25pm
ok, then how should i get certificate for smartcard user, which will be burned on smartcard ?
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 7:44pm
if you have Windows Vista/7/2008/2008R2 computer you may use CertMgr.msc MMC snap-in.http://en-us.sysadmins.lv
August 17th, 2010 7:47pm
but i dont have anyone, i only have xp and 2003 machines.., is there any way to get smartcard certificate from these machines ?
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 9:19am
please let me know how to proceed further ?
August 18th, 2010 9:18pm
in that case you need to remove specified update and proceed via enrollment web pages. You just need to configure the following:
1) enable HTTPS on IIS default web site (or where CertSrv application is hosted)
2) disable anonymous authentication and enable Integrated (Windows) authentication.
3) place web site to LocalIntranet (or Trusted sites) zone in your web browser.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 11:07pm
still no luck,
after unistalling and placing website under trusted site, i am seeing still the error: The proper version of the ActiveX control failed to download and install.
how to overcome this issue in 2003 server ?
August 21st, 2010 7:06pm
what about LocalIntranet zone?
http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2010 10:43pm
First add CA site into trusted zone in internet explorer, now configure trusted zone at custom level and enable "Download Unsigned ActiveX Control".
Thats works for me.
March 21st, 2011 10:47am
create a single Windows 7 machine and use the integrated GUI of the Certificates console. thats the most powerfull without any expenses mostly as you will probably be migrating to 7 any time soon.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 7:31am
I would agree with Ondrej that the appropriate solution to your issue is to build a Windows 7 enrollment station. You should issue an enrollment agent certificate to the machine and perform all enrollments through the rich request feature under the
updated certificates snap-in. Smart card enrollment is typically a delegated task and generally not run directly on the server (many servers do not support local smart card readers). If the hardware for a Windows 7 enrollment station is an
issue, I have built a virtual enrollment station (hosted on a machine that has a smart card reader) that seemed to work fairly well.fr3dd
March 28th, 2011 7:29pm