Certificate Services - Win 2003 , Enterprise

Do ur Standalone Root CA and Standalone Subordinate CA needs to be online in order to confirm Trust Root Path for our users ....


Mine testing Setup ... Main Goal > AutoEnrollment for End Users


Standalone Root CA > Standalone Subordinate CA > Enterprise Subordinate Issuing CA > End Users ...


CA Servers and End Users are on same Network Segments


CA Servers : 10.x.x.x.
End Users : 10.x.x.x




As mentioned i had setup all the systems , and tried autoenrollment With 2k3 Sp2 PKI and Win Xp Sp2 Clients ...

The interca and rootca ( both standalone ) are offline ...

When a client system tried to autoenroll,d for the first time ... it does,nt got autoenrolled ...
Wireshark trace depicts that the client ( xp_sp2_01 ) was looking for interca ( which is offline ) ... why is it looking for Interca system ( doing NBNS broadcasts ... and suppose if our INTERCA is on completely different Network Negment where it can,t be reached via a NBNS name broadcast ... how would clients know abt Interca ... [ leaving the clients LMHOSTS as a valid option ] ... )

Wireshark trace has be attached ...

If our InterCA is online ( rootca is still offline ) , everything works fine ...

Now do our Standalone InterCA needs to online forever to complete AutoEnrollment for our clients ... or any other way to handle this out ...

Interesting stuff, I'm assuming you've read pages like this -> Certificate Autoenrollment in Windows Server 2003

I'm *guessing* (no experience) the CAs need to be online and contactable for things like CRL (Cert Revocation List) checking and simply updating your installed certs? Try disabling Certificate Revocation List (CRL) checking and see if that stops it...Turn CRL checking on or off

^ i m reading the above stuff ... meanwhile can u tell me what were those WPAD emtries in trace ... are those the Auto config proxy settings that the IE client is trying to fetch ... >

Looked at the capture/trace file and searched the Net, yes those WPAD must be auto proxy discovery requests to your saggu.com domain... maybe you should either disable that option in your VMware Windows installation or configure DHCP so the VM can access your DHCP server or create a proxy DNS entry wpad.saggu.com like some of the search results seem to indicate:

Thomas Shinder Blog Blog Archive WPAD Autodiscovery and Qualifiying Unqualfied Names

We know IE! : WPAD detection in Internet Explorer

Shukria for the URL,s provided .... herez the fetched info



Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment. If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.

Now how to do the above marked in Bold chars ...


Following process helped to identify the kaput ...

Autoenrollment Failures

Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template.

To enable the warning feature for an autoenrollment failure

1. Open the specified template in the Certificate Templates MMC snap-in.
2. Click the Request Handling tab.
3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties.

here is error screenshot ...



Now this means that the Certificate that interCA enrolled to issuingCA had CRL defined on it ... with the time when to check for an updation of the CRL ... new clients who try to autoenroll check CRL list of entire tree ... is this same appliciable for DeltaCRL ... now how to get the clients not to check CRL CDP ... via GPO,s ... ?

Yes Delta CRL should be affected/fixed the same way. Hmmm, not sure here, especially about GPO settings, I just googled and got these links:

Certificate Revocation and Status Checking
Troubleshooting Certificate Status and Revocation
Turn CRL checking on or off

See section D of first link... also did the "Turning CRL on or off" link also posted earlier not help?

In IE advanced settings tab there is an option to turn off CRL checking not sure if it works only for IE or for the entire OS...

edit: worst case you can generate new certs with the CDP removed

Well removing CDP won't do any good as some certs purposes won't work, what proper configuration required is highlighted here
A Microsoft PKI Quick Guide – Part 3: Installation

[Off topic]
Interesting to see this thread. Dunno how i missed this when it started last year. As Vishalsir would know I am also getting my feet wet in identity mgmt, and federation in particular. Never had a chance to work with Certserver 2K3 but have been using Cert Server Role in Win2K8.
[/Off topic]