Good call. The server shows only one web site - the default web site. It contains the virtual directory named CertEnroll that points to is C:\Windows\system32\CertSrv\CertEnroll, and the application CertSrv that points to C:\Windows\system32\CertSrv\en-US.
In the ADCS the error is showing up for the URL for both the AIA and the CDP locations, which in both cases is http://cert.mycompany.com/certenroll/filename.ext, and there is a share called CertEnroll that points to that directory. Permissions on the share are Everyone:Read and Administrators:Full Control. In the IIS log, the status when accessing a file in the directory is 404, with an sc-substatus of 0 and an sc-win32-status of 64, which seems to mean "The specified network name is no longer available." The status when accessing the directory itself is 403, with an sc-substatus of 14, which seems to mean "Directory listing denied", and an sc-win32-status of 0. As an experiment, I tried adding Everyone:Read NTFS permissions to C:\Windows\system32\CertSrv\CertEnroll, then restarting w3svc and certsvc, and get the same error in the logs and web browser. I have removed that permission. After restarting those two services, I find the following in the Application event log (and can't seem to find much on it using Google): Log Name: Application Source: Microsoft-Windows-CertificationAuthority Date: 12/4/2011 9:16:51 AM Event ID: 44 Task Category: None Level: Error Keywords: Classic User: SYSTEM Computer: cert.mycompany.com Description: The "Windows default" Policy Module "Initialize" method returned an error. Cannot find object or property. The returned status code is 0x80092004 (-2146885628). The Active Directory Certificate Services Policy contains no valid Certificate Templates. Kurt On Sun, Dec 4, 2011 at 05:51, Ken Schaefer <k...@adopenstatic.com> wrote: > Please check the HTTP substatus code in the IIS log file - that will tell you > why you are getting a 403 or 404 (e.g. IIS will send a 404 for all blocked > content - e.g. no MIME type defined). > > Alternatively, Failed Request Tracing will also give you the reason, though > it's much more verbose, and maybe overkill for your situation. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Saturday, 3 December 2011 3:23 AM > To: NT System Admin Issues > Subject: Issue with IIS on Win2k8 R2 > > All, > > Am standing up a CA on a Win2k8R2 Enterprise VM - it's an issuing CA that's a > member of the domain. The installation seems to work, except that IIS isn't > serving the virtual directory with the crl and crt files. I get a 404 error > when browsing to the .crt or .crl file, and a > 403 when browsing to the directory root. > > The 403 error makes it smell like a permissions issue, but I am a bit > confused by the Win2k8R2 interface, and in any case don't know what > permissions might be needed. > > Anyone here have a clue for me? > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
