index > Claims based access platform (CBA), code-named Geneva > Pull down and configure the webapp1 certificate

Pull down and configure the webapp1 certificate

Hello,

I'm using the Step-by-Step guide to configure servers in VMs. When I'm in "Pull down and configure the webapp1 certificate", more precisely, in Step 7, the webapp1 not appears, so I can not export it.

Thanks for any replies.

Best Regards.

Espero ter ajudado, Att.

Israel Aece

Hi Israel,
In the Step-by-Step guide, there is a step to grant Domain Users permission to enroll for "Geneva Users".Have you performed the highlighted step on sts1 machine for the certificate template Geneva Users? If you have done that before, try remove Domain Users from the Enroll permission list of Geneva Users and then add it back again. Youcan also check whether webapp1 user is a member of Domain Users. By default, it should be.

Then login to web1 machine as webapp1and wait for the cert to appear. Run "gpupdate /force" or restart the machine ifyou don't see itafter 2-3 mins, or try manually request the certificate.

Configure certificate templates

Configure the domain user certificates in AD CS on the sts1 and sts2 VM computers using the following procedure.

To configure certificate templates

1. Log on to sts1 and sts2

2. Click Start, click Run, type mmc, and then click OK.

3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove Snap-ins dialog box opens.

4. In Available snap-ins, double-click Certification Authority. Select the certification authority (CA) that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning you to the Add or Remove Snap-ins dialog box.

5. In Available snap-ins, double-click Certificate Templates, and then click OK.

6. In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane.

7........
10. In the details pane, right-click the User template, and then click Duplicate Template.

11. In the Duplicate Template dialog box, select WindowsServer2003, Enterprise Edition, and then click OK.

12. On the General tab, in Template display name, type Geneva Users.

13. On the Subject Name tab, unselect the Include e-mail name in subject name and E-mail name check boxes.

14. On the Request Handling tab, make sure that the Allow private key to be exported check box is selected.

15. Click the Security tab. In Group or user names, click Domain Users.

16. In Permissions for Domain Users, under Allow, select the Enroll and Autoenroll permission check boxes, and then click Add.

17......

Marked As Answer byMarc GoodnerMSFT, OwnerMonday, April 13, 2009 4:22 PM

luzhao

Hi Israel,
There is a delay in certificate auto-enrollment. It may take 2-3 mins for the certificate to appear. Keep refreshing the certificate snap-in.

Lu

Proposed As Answer byluzhaoMSFTMonday, November 10, 2008 8:28 PM

luzhao

Hello Lu,

Thanks for your response.

There is no way to view “webapp1�?certificate in "Certificates - Current User" snap-in. I wait for 5-10 minutes and nothing. Both web1, sts1 and sts2 are online; I'm logging in web1 with webapp1 user in contoso domain.

Do you have any idea about this behavior?

Espero ter ajudado, Att.

Unproposed As Answer byTak Wai WongModeratorWednesday, November 12, 2008 8:55 PM
Proposed As Answer byTak Wai WongModeratorWednesday, November 12, 2008 8:55 PM

Israel Aece

try run gpupdate /force, wait for a few minutes, if it still doesn't work, reboot the machine. Let me know which one works for you.

Lu

luzhao

Hi Israel,
Here are 2 other ways to get the cert:
1) Reboot the VM. Then check the cert console again to see if the cert is present.

Or manual cert request:
1) log in as contoso\webapp1
2) mmc --> Add Certificates snap in for My User account
3) Right-click on Personal\Certificates --> All Tasks --> Request New Certificate ...
4) Go through the wizard to request for a User certificate.

Tak Wai Wong

Hello Lu,

Thanks for your response again.

I tried gpupdate and, later, reboot web1 VM but both didn't work.

The VMs are "pinging" and another gap: there isn't "Certificates" folder inside Personal folder and, when I add "Certificates" snap-in, is not necessary to select "My user account", because it already gets user context (webapp1). This screen only appear when I run as Administrator.

Thanks again.

Best Regards.

Espero ter ajudado, Att.

Israel Aece

Hello Tak,

Thanks for your response.

The first approach didn't work.

I tried "manual certificate request" but, when I click in "Request New Certificate", the Wizard open and, in second step, it showed me: "You cannot request a certificate at this time because no certificate types are avaliable."

If I mark "Show all Templates" checkbox, it list all types, but all are disabled.

The VMs are "pinging" and another gap: there isn't "Certificates" folder inside Personal folder and, when I add "Certificates" snap-in, is not necessary to select "My user account", because it already gets user context (webapp1). This screen only appear when I run as Administrator.

Best Regards.

Espero ter ajudado, Att.

Israel Aece

Hello,

Another hints:

All VMs are Windows 2008 Enterprise Edition.
webapp1 user is member of the Domain Users group.
CA names:

Contoso: contoso-STS1-CA
Fabrikam: fabrikam-STS2-CA

Espero ter ajudado, Att.

Israel Aece

I already went thru that step, you have to wait certificate for webApp1 will evantualy appear.

kan

Kanwar Singh

Hello Kanwar,

Thanks for your response.

How many time I need to wait?

I've waited around 10 minutes and nothing happened.

Espero ter ajudado, Att.

Israel Aece

It is wired that Geneva Users certificate template is not available on your machine. Could you verify you have done the following:

on web1 machine, Logged in as webapp1 user
on sts1 machine, granted Domain User access permission for Geneva Users certificate template
on sts1 machine, enabled Geneva Users certificate template in CA

luzhao

I hope youalready passed thru this step successfully?

It took me a lot of time to get thru that step, believe me it was frustrating.

What i did was, I deleted the webapp1 user, created it again and thenrebooted the machines.

I still remember when "certificate" folder start appearing, I opened certificate snap-in, I saved it.
I open the MMC again the certificate for webapp1 was there.

let me know where you are, I am stuck at scenario 1. we need to help each other.

thanks

kan

Kanwar Singh

Hey guys,

Based on this feedback and feedback we received from other customers, I have added the following Note right after Step 7 in this same procedure thatwe hope will help with this issue should someone run across it in the future:

Note: If you do not see the webapp1 certificate in the snap-in this could be due to the delay in the certificate auto-enrollment process. If this happens, wait 2 to 3 minutes and then refresh the snap-in view. If it still does not appear after waiting, try thefollowing:

a. In the console, select the Certificates folder

b. Right-click and select Request new certificate and then click Next

c. On the Request Certificate wizard page, select Geneva Users, and then click Enroll

Let me know if you have any additional feedback. :)

Thanks,
Nick

Nick Pierson [MSFT]

Hello Nick,

There isn't "Certificates" folder inside Personal folder.

I tried "manual certificate request" but, when I click in "Request New Certificate", the Wizard open and, in second step, it showed me: "You cannot request a certificate at this time because no certificate types are avaliable."

If I mark "Show all Templates" checkbox, it list all types (including "Geneva Users"), but all are disabled.

Thanks