I am trying to get NDES configured on Windows 2008 Enterprise, but I have a problem. Everything appears to be installed correctly, and I can get an enrollment challenge password from the server, but it will not issue certificates.
Specifically, IIS logs the following when my devices (I have tried using two Juniper Netscreen firewalls, running ScreenOS 6.0.0r2.0 and 5.2.0r3d.0, and a Cisco 6504 running IOS 12.2(33)SXH2a) attempt to submit their certificate requests:
-----
2008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=hsca04 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 218
2008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&message=<base64 encoded certificate request> 80 - 10.0.0.1 - 404 15 0 15
-----
That's the Cisco attempt, though the Netscreens return basically the same:
-----
2008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=GetCACert&message=any 80 - 10.0.0.2 - 200 0 0 328
2008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=PKIOperation&message=<base64 encoded certificate request> 80 - 10.0.0.2 - 404 15 0 703
-----
For some reason, the actual certificate request (PKIOperation) is returning 404. If I manually type a bogus request into IE, like:
"http://<server name>/certsrv/mscep/mscep.dll?operation=PKIOperation&message=this%20is%20bogus"
It processes the request and returns a 644 byte file.
The GetCACert command does work, and the Cisco switch is definitely loading the issuing CA certificate.
Please help!
Thank you.
Specifically, IIS logs the following when my devices (I have tried using two Juniper Netscreen firewalls, running ScreenOS 6.0.0r2.0 and 5.2.0r3d.0, and a Cisco 6504 running IOS 12.2(33)SXH2a) attempt to submit their certificate requests:
-----
2008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=hsca04 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 218
2008-09-04 02:12:39 10.0.0.100 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&message=<base64 encoded certificate request> 80 - 10.0.0.1 - 404 15 0 15
-----
That's the Cisco attempt, though the Netscreens return basically the same:
-----
2008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=GetCACert&message=any 80 - 10.0.0.2 - 200 0 0 328
2008-09-03 04:25:39 10.0.0.100 GET /certsrv/mscep/ operation=PKIOperation&message=<base64 encoded certificate request> 80 - 10.0.0.2 - 404 15 0 703
-----
For some reason, the actual certificate request (PKIOperation) is returning 404. If I manually type a bogus request into IE, like:
"http://<server name>/certsrv/mscep/mscep.dll?operation=PKIOperation&message=this%20is%20bogus"
It processes the request and returns a 644 byte file.
The GetCACert command does work, and the Cisco switch is definitely loading the issuing CA certificate.
Please help!
Thank you.