Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

11. Enable.

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

13. Navigate to System.webServer > security > RequestFiltering.


Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

14. Change allowDoubleEscaping to ‘True’ > Apply.

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

19. If you check the folder you created earlier, you will see it now contains the CRL files.

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005

Server 2012 – Certificate Services – ‘HTTP Error 403.14 – Forbidden’

KB ID 0001067

Problem

I spun up a new Certificate Services server on my test network today, because I needed to issue some certificates for something I’m working on. It was a pretty vanilla build, just the Certificate Services role, and the Web Enrollment feature.

Solution

I spent a while searching this one down, as you can see (above) it was showing me the root cause of the problem. The page you normally see when you log into the web portal is default.asp, and that file is not in that folder.

1. Open IIS manager and then open the settings for the CertSrv virtual directory. Use the browse button to change the location.

2. Change the location to the sub folder en-US (or if you are in a different locale select your local one). > OK > OK.

3. Restart the web services and try again.</p?

Related Articles, References, Credits, or External Links

NA

Cannot Access Exchange Management Console

KB ID 0000477 Dtd 02/05/13

Problem

Since Exchange 2007, its management tasks have been done via PowerShell, (yes even the GUI Management). Which is fine, however it runs all that PowerShell from a virtual directory that lives in the servers’ IIS webserver. When that fails or there is a problem, Exchange runs quite happily, but you can’t run the management tools.

There are a number of reasons for this to fail and a number of different error messages, I will list them as I come acoss them.

Error 1 (Seen 16/10/12)

Error: Connecting to the remote server failed with the following error message: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig”. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command ‘Discover-exchangeserver- useWIA $true – suppressError $true’ -CurrentVersion ‘Version 14.1(Build 218.15).

I got the same when trying to access the Exchange Management Shell as well.

Update 16/10/12: I got this problem today again! It seems AVG 2012 causes this problem as well, if you have AVG installed remove it and try again.

Solution (Error 1)

1. Firstly drop to command line > then (as asked) run “WinRM QuickConfig”. Carry out any changes that it asks by simply pressing “y”.

2. Run the same command again untill it returns two positive results.

3. Start > Run > Services.msc {enter} Locate the following three services, make sure that they are set to “automatic startup” and are running.

IIS Admin Service Windows Remote Management (WS-Management) World Wide Web Publishing Service

4. Start > Administrative Tools > Expand Sites > Default Web Site > Make sure the default web site IS STARTED.

THIS WAS MY PROBLEM! If you can see the green start arrow then its NOT started.

5. When I attempted to start the default web site I got the following error:

Error: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020).

Essentially one or both of the two comms ports that IIS uses (Port 80 HTTP and Port 443 HTTPS) have been taken by another process or program. Have a common sense check, what’s been installed on this server that might have a “web portal”? UPS software, AV software, another web server like Apache for example?

To find out what process is using the port

6. Close down any open windows that you have on the server. At command line issue the following two commands:

[box] netstat -aon | find “:80” netstat -aon | find “:443” [/box]

The fist checks for programs using port 80, In my case there were none, the second command checks port 443, heres my culpritt. All I know at this point is it’s PID (in the example below 4852).

7. To find out what that PID is, right click your Task bar > Launch Task Manager > Processes Tab > View > Select Columns.

8. Turn on the PID column.

9. Sort the PID column (by clicking on the column title) locate the PID in question, find out what it is. Once you know that stopping it will not harm the server, then simply right click and “End Process Tree”.

Note: Some legitimate important Windows processes might be using these ports like “lsass” and “system”.

10. Now you should be able to start the default website, and the Exchange Management Console should open correctly.

WARNING: You have not fixed the problem! (Just identified it), the software that hijacked the IIS ports needs uninstalling, or changing so that it uses a different port.

 

Error 2 (Seen 02/05/13)

Connecting to the remote server failed with the following error message: The WinRM client… cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command ‘Discover-exchangeserver- useWIA $true – suppressError $true’ -CurrentVersion ‘Version 14.1(Build 218.15).

And from the Exchange Managent Shell;

Other Symtoms;

Attempting to open OWA gives a 500 – Internal server error. (If that’s the only problem and it’s SBS 2011, make sure the ‘Microsft Exchange Form Based Authentication’ service is running).

Solution (Error 2)

I spent an entire afternoon fighting with this error on an SBS 2011 server! Every post I found on the internet did NOT fix it. Not even this one (which was so close) but my envirnment variables were correct

The EMTShooter did not help either, I checked it’s recommendations. and they were all correct.

The bottom line is: This is an IIS problem not an Exchange one, the site I was at had done a lot of work on this server and just installed some third party software, (that may or may not have changed some IIS configuration settings). So I connected to another working SBS 2011 Server and copied the contents of the c:inetpubwwwroot folder to the affected machine (back it’s contents up first!). Then run the following command;

[box] iisreset [/box]

If you don’t have access to a working SBS 2011 server, here you go, (you owe me a vodka!)

 

Error 3 (Seen 30/04/14)

 

“The attempt to connect to http://server.domain.com/PowerShell using “Kerberos” authentication failed: connecting to remote server failed with the following error message : The WinRM client cannot complete the operation within the time specified.  Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled.  For more information, see the about_Remote_Troubleshooting Help topic.”

Solution Error 3

1. Exit the EMC > Windows Key +R > cmd {Enter}

2. Execute the followig two commands;

[box]

DEL "%USERPROFILE%AppDataRoamingMicrosoftMMCDEL "%USERPROFILE%AppDataRoamingMicrosoftMMCExchange Management Console.*"

REG DELETE HKEY_CURRENT_USERSoftwareMicrosoftExchangeServerv14AdminTools /v NodeStructureSettings /f

[/box]

Related Articles, References, Credits, or External Links

Exchange 2010 – No Exchange servers are available in any Active Directory sites

Original Article Written 15/07/11

 

Exchange – Delete and Recreate the PowerShell Virtual Directory

KB ID 0000700 

Problem

One of the big drawbacks of Exchange management being built on PowerShell, and it talking to the PowerShell virtual director is, when IIS has a problem, you can’t manage your Exchange via the command shell, or the Exchange Management Console.

While trying to fix a problem last week I wanted to remove and recreate the PowerShell virtual directory, and I found the PowerShell command, but no working examples for the correct syntax.

Solution

1. Remember your Exchange Management Shell won’t work, so load the Windows Powershell Modules shell. (Note: You will find this one under Administrative tools, NOT the one on the taskbar).

2. To remove the PowerShell virtual directory from the default web site;

[box]
Remove-PowerShellVirtualDirectory “Powershell (Default Web Site)”
[/box]

3. Confirm by pressing A {enter}.

4. To recreate the PowerShell virtual directory;

[box]New-PowerShellVirtualDirectory -Name Powershell -RequireSSL:$False [/box]

5. You can restart the web services with the following command;

[box]
iisreset /noforce
[/box]

 

Related Articles, References, Credits, or External Links

Original article written 22/12/12