Hi
Just migrated the CA onto Windows Server 2008 R2, which is a DC holding no FSMO roles in a 2003 domain/forest.
I get this in PKIVIEW. (can't post links or images)
AIA Location #2
Unable to download
http://caserver.domain.local/certenroll/caserver.domain.local_domain.crt
DeltaCRL Location #2
Unable to download
http://caserver.domain.local/certenroll/domain+.crl
CDP Location #2
Unable to download
http://caserver.domain.local/certenroll/domain.crl
If I copy and paste the HTTP URL from PKIVIEW, I get
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
</fieldset>| Module | AnonymousAuthenticationModule |
|---|---|
| Notification | AuthenticateRequest |
| Handler | StaticFile |
| Error Code | 0x8007000d |
| Config Error | Failed to decrypt attribute 'password' because the keyset does not exist |
| Config File | \\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config |
| Requested URL | http://caserver.domain.local:80/CertEnroll/Impello.crl |
|---|---|
| Physical Path | C:\Windows\system32\CertSrv\CertEnroll\Impello.crl |
| Logon Method | Not yet determined |
| Logon User | Not yet determined |
340: 341: <anonymousAuthentication enabled="true" userName="IUSR_CASERVER" password="[enc:AesProvider:AKIysICQmyYDzE7MMPeurKuIWeg6dv13xwaG7af+cq7DNEPpLsQvWXtvMY+uzvMc:enc]" />
342: (names have been changed to protect the innocent)
I'm guessing the inability to download the CRL/CRT files is related to permissions on the private keys/within the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder. Would re-mapping to the IUSR accounts help as per http://support.microsoft.com/kb/946139/en-gb?
Any thoughts?