The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
The GOOD news today is that by hadji2007-07-25 15:58:59
  *hands you my ISA server* by kiwifruit2007-07-25 16:16:03
    What's the source for that message? (n/t) by bwkaz2007-07-25 16:35:09
      AutoEnrollment by kiwifruit2007-07-25 16:42:11
        Not sure what pkiview is, but can you post its out by bwkaz 2007-07-25 16:54:44
put?

I assume your CA is MS Cert Services, right? Do the permissions on the DC template allow DCs to enroll? What about permissions on the server, since those apply also? (I doubt it's any of this stuff, but who knows.)

"The revocation server" is actually LDAP/SMB/HTTP, not the Cert Services service. Each cert from Cert Services is supposed to have a cRLDistributionPoint attribute, whose multiple values are URLs for where the CRL that may contain that cert's revocation is located (so anyone using the cert can check the CRL too). Assuming a default Cert Services install, the certs will get two URLs; one file and one LDAP. It also installs options for an HTTP URL, I think. (I turned off the file URL, and turned on and slightly modified the HTTP one. Our cert server is also running a web server, so it dumps its CRLs there. Files are not accessible by clients directly.)

Anyway, I believe only one of the URLs needs to be accessible, but it's good to make sure all of them always are (if possible). To see what the URLs actually are, bring up the cert that's getting validated (...though I don't know how to find that: perhaps it's the cert that Cert Services is using to sign all its issued certs?), and in the details tab, go find the "CRL distribution points" attribute. (Or "openssl x509 -in file.pem -text -noout" and look for the cRLDistributionPoint. :-) )

Anyway, once you find those URL(s), make sure the client can get at them. If not, you may have to reissue the Cert Services cert (but that's probably a huge pain, because it may force all your clients to re-request their certs).

If the URLs are available, then I'll have to fall back on pkiview. But from the error text, the CDP thing appears to be at least part of the problem.
[ Reply ]
          Public Key Infrastructure Viewer, I'd wager. (n/t) by themadkansan2007-07-25 17:01:37
            Yeah, but I've never used it. :-) (n/t) by bwkaz2007-07-25 17:08:47
          Ok, I'm going to eat dinner... by kiwifruit2007-07-25 17:08:38
            OK, let me know. :-) (n/t) by bwkaz2007-07-25 17:09:06

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)