Unable to Create a Certificate CMC request. Client Side Error Access Denied. Code works fine when run as vbs
Operating system. Windows 7
IE versoin 8
CA Version: Windows 2008 R2
Certificate Template: SmartCard Logon
---------------------------------------------------
I am creating a CMC certificate request via client side vb script so basically
Create the PrivateKey object and set attributes
then create PKCS10 Object and initialize it with PrivateKey and templateName
Then Create CMC object and initailize with Template Name by passing the P10 object and TemplateName in the method.
When I run the script only in VBS file, everything seems to be working fine and I am displayed a Pin Prompt ( as my template is smart card logon). But when I put this code in an aspx page and run it via browser.
I am getting an ACCESS DENIED Error when I try to initialize the CMC object InitializeFromInnerRequestTemplateName(). I have added the site in the Local Intarnet zone, and enable everything. I also went into the local computer GPO and added 2,2,1,0 for the active x installer service.
The code works in Windows Vista, but not in Windows 7 (IE 8).... Any guesses.
I will redo the Windows 7 image and see if it makes a difference, but not sure, if that is the problem
Any suggestions would help
thanks
April 4th, 2010 12:03am
Without the actual code, no one is going to be of much help.Paul Adare
CTO
IdentIT Inc.
ILM MVP
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2010 12:54am
hmm noticed something strange,
If I create my CMC object from the objectClassFactory.CreateObject, then I get the ACCESS DENIED, but if I create the CMC object by just calling the CreateObject("X509Enrollment.CX509CertificateRequestCmc") in then it does not throw the access denied.
April 4th, 2010 12:56am
I will see if I can post some test code.
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2010 8:53pm
here is the test code, that fails
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>Untitled</title><script language="VBScript"><!-- Sub vbMessage_1() Dim objRequestPkcs10 dim objNameValuePair Dim objNameValuePairs Dim objRequestCMC
Dim objPrivateKey Dim objClassFactory Dim CSPVendorName
Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = objClassFactory.CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey")
Set objRequestPkcs10 = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestCmc") CSPVendorName="Microsoft Base Smart Card Crypto Provider" Dim CspInfo Set CspInfo = objClassFactory.CreateObject("X509Enrollment.CCspInformation") CspInfo.InitializeFromName(CSPVendorName) objPrivateKey.ProviderName = CspInf0.Name objPrivateKey.ProviderType = CspInfo.Type objPrivateKey.KeySpec = 2 GenKeyFlags = 0 objPrivateKey.KeyProtection = 0 objPrivateKey.ExportPolicy = GenKeyFlags objPrivateKey.Length = 1024 'Init the P10 call objRequestPkcs10.InitializeFromPrivateKey(1, objPrivateKey, "SmartcardLogon") 'Create CMC
call objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon") MsgBox("Error " &Err.Number)
End Sub //--></script>
<script language="JavaScript" type="text/javascript"><!-- //--></script>
</head><body><form name="frmTest">
<input type="button" value="Call Get Cert request" onclick="vbMessage_1()" /></form></body></html>
April 6th, 2010 1:05am
is there a way to turn cert enroll logging on the client machine. Access denied is a very generic error, and it seems like a catch all error
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2010 5:09pm
has anyone seen this error... I am getting desprate now :(
April 7th, 2010 2:26am
ok so some update on this.
for the certificate enrollment when I create the objects from the object factor like this below
Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = objClassFactory.CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey")
Set objRequestPkcs10 = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestCmc")
and then make a call
call objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon")
I get the ACCESS DENIED error.
I tried to call a different webenabled method
call objRequestCMC.InitializeFromInnerRequest(objRequestPkcs10)
then this method does not throw any exceptions, so I am thinking that their is some security settings either at the browser level or CA level that is producing the ACCESS DENIED error when the method
objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon")is called.
On the other hand if I create all my objects like below then all my code works fine and I am able to retrieve certs
Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = CreateObject("X509Enrollment.CX509PrivateKey")
Set objRequestPkcs10 = CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = CreateObject("X509Enrollment.CX509CertificateRequestCmc")
Can anyone from Microsoft Shed some light on it. I have the code working but I want to know why the failing code works on Windows Vista, but does not work with Windows 7
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2010 10:27pm