I am attempting to implement an Enterprise CA including web enrollment. I have installed the role and role services, and the CA appears to function. However, I receive HTTP error 500.19 when trying to browse the /certsrv virtual directory: Module IIS Web Core Notification BeginRequest Handler Not yet determined Error Code 0x80070003 Config Error Cannot read configuration file Config File \\?\C:\Windows\system32\CertSrv\en-US\web.config Requested URL http://server11.tec.local:80/certsrv Physical Path C:\Windows\system32\CertSrv\en-US Logon Method Not yet determined Logon User Not yet determined I receive HTTP 500 in all browsers, and the above when browsing localhost/certsrv. I have researched and made many attempts to fix this, without luck. I've modified NTFS ACLs on the system32\CertSrv directory and subs, recreated the virtual directory with certutil -vroot, edited application pool settings, all to no avail. The part that strikes me as an obvious problem is the lack of any web.config file in \en-US, which the error points to. However, as I said, I have recreated the directory with certutil after clearing out the IIS virtual directory. The server itself is a domain controller running Server 2008 R2 Enterprise SP1. It runs DNS and all FSMO roles. It also runs DHCP, file and print services, RDS Licensing (and Citrix licensing), and AD DS & CS as mentioned. There is another server in the environment running Server 2003 SP2. This is the "old" domain controller, which is also a certificate authority. I am configuring AD CS for the purpose of being able to decommission the old server. ADCS seems to be otherwise functioning, so I am hoping to avoid removing the role service itself. Any thoughts? (I previously posted this in Directory Services and was told to move it here)

This looks rather like an IIS problem, you might need to check this KB http://support.microsoft.com/kb/934515 to solve the IIS web.config problem first. /Hasain

It is not an IIS problem from my perspective. IIS is only being used for the purpose of certificate enrollment, and the default web site IIS 7 logo loads fine. It is specifically the web.config for the Web Enrollment site that IIS reports it cannot find. That article does not (or should not) apply to this scenario since the certificate the physical path is local, not a UNC path. Although the "\\?\C:\Windows\system32\CertSrv\en-US\web.config" path is confusing to me. Anyway, since configuring AD CS is the only reason there even is an IIS web site, something has to being wrong or have gone wrong somewhere in the role/role service setup. There were no IIS web sites prior to configuring ADCS, and I have gone as far as deleting the entire web site and recreating it and the AD CS sites. Edit: For reference, here is the relevant (slightly obscured) section I see in the web site's web.config file: <sites> <site name="Default Web Site" id="1" serverAutoStart="true"> <application path="/" applicationPool="Default Web Site"> <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" /> <virtualDirectory path="/CertEnroll" physicalPath="C:\Windows\system32\CertSrv\CertEnroll" logonMethod="Network" /> </application> <application path="/ocsp" applicationPool="OCSPISAPIAppPool"> <virtualDirectory path="/" physicalPath="C:\Windows\SystemData\ocsp" /> </application> <application path="/COMPANY-DC1-CA_CES_UsernamePassword" applicationPool="WSEnrollmentServer"> <virtualDirectory path="/" physicalPath="C:\Windows\SystemData\CES\COMPANY-DC1-CA_CES_UsernamePassword" /> </application> <application path="/CertSrv" applicationPool="Default Web Site"> <virtualDirectory path="/" physicalPath="C:\Windows\system32\CertSrv\en-US" logonMethod="Network" /> </application> <bindings> <binding protocol="http" bindingInformation="*:80:" /> <binding protocol="https" bindingInformation="*:443:" /> </bindings> </site>

I have recently noticed the same problem as well. If you find anything out on this, please post it back here. Thanks much.

Check out this if you haven't already: http://www.interactivewebs.com/blog/index.php/general-tips/crtsrv-http-error-500-19-internal-server-error-64-bit-windows-2008/comment-page-1/#comment-2614