Discussion:
Problem when requesting a certificate to IIS server (certificate web enrollment)
(too old to reply)
a***@sncf.fr
2005-10-04 16:50:27 UTC
Permalink
Hello,

i want to implement a Windows 2003 PKI, but i have some problems.
when i request a certificate to my enterprise issuing CA, through IIS
server interface, I get the following message:

"Error
Your request failed. An error occurred while the server was processing
your request.
Contact your administrator for further assistance

Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
COM Error Info:
CCertRequest::Submit No mapping between account names and security IDs
was done. 0x80070534 (WIN32: 1332)
LastStatus:
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
Suggested Cause:
No suggestions. "

Thanks for informations.
Steven L Umbach
2005-10-05 00:11:26 UTC
Permalink
If you have installed Service Pack 1 and the CA is installed on a domain
controller see the link below to changes in SP1 for Certificate Services to
see if that applies to your configuration.

http://support.microsoft.com/default.aspx/kb/889101

Look in the security/application/system logs of the CA server and the client
computer to see if anything is recorded there that may give you a clue.
Though the error message does not seem to indicate that this is the problem
make sure the user/computer has read/enroll permissions to the certificate
template. Run the support tool netdiag on the CA server to make sure that
there are no problems with dns, dc discovery, kerberos, secure channel and
read the link below on AD dns to make sure you have dns configured correctly
for the domain. If you are using an IIS server other than your CA server for
Web Enrollment the computer account for the IIS server needs to be trusted
for delegation for kerberos in Active Directory Users and Computers. Try
requesting the certificate via the mmc snapin for certificate for
user/computer as the case may be to see if that works. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
DNS FAQ.
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx#EAF
Post by a***@sncf.fr
Hello,
i want to implement a Windows 2003 PKI, but i have some problems.
when i request a certificate to my enterprise issuing CA, through IIS
"Error
Your request failed. An error occurred while the server was processing
your request.
Contact your administrator for further assistance
newreq - New Request
(never set)
(none)
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
CCertRequest::Submit No mapping between account names and security IDs
was done. 0x80070534 (WIN32: 1332)
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
No suggestions. "
Thanks for informations.
a***@sncf.fr
2005-10-05 11:59:03 UTC
Permalink
Thanks for replying!

I did what you suggested, but i didn't solve the problem.

I run the support tool NetDial and everything seems to be OK.
The content of netdial.log is :
"
Computer Name: SDSIV-NA-PKI002
DNS Host Name: sdsiv-na-pki002.sdsiv-na-pki.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 8, GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823559
KB823980
KB824105
KB824141
KB824145
KB824146
KB825119
KB828035
KB828741
KB828750
KB833987
KB835732
KB839645
KB840315
Q147222
Q819639
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : sdsiv-na-pki002.sdsiv-na-pki.local
IP Address . . . . . . . . : 10.27.223.74
Subnet Mask. . . . . . . . : 255.255.252.0
Default Gateway. . . . . . : 10.27.223.254
Primary WINS Server. . . . : 10.27.204.5
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 10.27.223.76


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed


WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'SDSIV-NA-PKI' is to
'\\SDSIV-NA-PKI04.sdsiv-na-pki.local'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed
information


The command completed successfully"


Any idea's or suggestions?

Thanks.
Steven L Umbach
2005-10-05 15:01:24 UTC
Permalink
Your netdiag results look good though I see you have netbios over tcp/ip
disabled on the CA. I would not think that is related but you may want to
enable it, even if just temporarily, to see if that makes a difference as I
have seen stranger things. A search of Google for you problem suggested
trying the below from user Madcow at MSExchange.org. Also verify that the
computer account for the CA is enabled for delegation in it's properties in
Active Directory Users and Computers. If problems still persist at least
try requesting a certificate via the mmc snapin for certificates on the
client computer to see if that works or not from the folder for
personal/certificates where you right click and select all tasks - request
new certificate to try and determine if the problem is with Web Enrollment
or access to the CA in general. --- Steve

http://forums.msexchange.org/m_170169400/tm.htm

"In your IIS click default website -> home directory -> configuration ->
options TAB -> and make sure the ENABLE SESSION STATE is selected.

If not select this option and restart the IIS and then try to create a
certificate again."
Post by a***@sncf.fr
Thanks for replying!
I did what you suggested, but i didn't solve the problem.
I run the support tool NetDial and everything seems to be OK.
"
Computer Name: SDSIV-NA-PKI002
DNS Host Name: sdsiv-na-pki002.sdsiv-na-pki.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 8, GenuineIntel
KB819696
KB823182
KB823559
KB823980
KB824105
KB824141
KB824145
KB824146
KB825119
KB828035
KB828741
KB828750
KB833987
KB835732
KB839645
KB840315
Q147222
Q819639
Q828026
Netcard queries test . . . . . . . : Passed
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : sdsiv-na-pki002.sdsiv-na-pki.local
IP Address . . . . . . . . : 10.27.223.74
Subnet Mask. . . . . . . . : 255.255.252.0
Default Gateway. . . . . . : 10.27.223.254
Primary WINS Server. . . . : 10.27.204.5
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . : 10.27.223.76
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Skipped
There are no interfaces that have NetBT enabled. [Test skipped]
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'SDSIV-NA-PKI' is to
'\\SDSIV-NA-PKI04.sdsiv-na-pki.local'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed
information
The command completed successfully"
Any idea's or suggestions?
Thanks.
Kristoffer Nørkjær Randløv jepsen
2005-10-14 13:11:46 UTC
Permalink
Im having the same problem.
I have instaled the webenrollment pages on a webserver in my DMZ.

When i request certificates i get the same error.

I have set the trust computer for delegation in ADUC.
Post by Steven L Umbach
If you have installed Service Pack 1 and the CA is installed on a domain
controller see the link below to changes in SP1 for Certificate Services
to see if that applies to your configuration.
http://support.microsoft.com/default.aspx/kb/889101
Look in the security/application/system logs of the CA server and the
client computer to see if anything is recorded there that may give you a
clue. Though the error message does not seem to indicate that this is the
problem make sure the user/computer has read/enroll permissions to the
certificate template. Run the support tool netdiag on the CA server to
make sure that there are no problems with dns, dc discovery, kerberos,
secure channel and read the link below on AD dns to make sure you have dns
configured correctly for the domain. If you are using an IIS server other
than your CA server for Web Enrollment the computer account for the IIS
server needs to be trusted for delegation for kerberos in Active Directory
Users and Computers. Try requesting the certificate via the mmc snapin for
certificate for user/computer as the case may be to see if that
rks. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
AD DNS FAQ.
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx#EAF
Post by a***@sncf.fr
Hello,
i want to implement a Windows 2003 PKI, but i have some problems.
when i request a certificate to my enterprise issuing CA, through IIS
"Error
Your request failed. An error occurred while the server was processing
your request.
Contact your administrator for further assistance
newreq - New Request
(never set)
(none)
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
CCertRequest::Submit No mapping between account names and security IDs
was done. 0x80070534 (WIN32: 1332)
No mapping between account names and security IDs was done. 0x80070534
(WIN32: 1332)
No suggestions. "
Thanks for informations.
Loading...