Discussion:
smart card logon - dsstore problem
(too old to reply)
anonymous
2005-07-01 15:04:03 UTC
Permalink
Hello!

We have a third party CA.We have imported the certificate for the
certificate authority into the NTAuth container in AD (Windows 2003), we have
deployed a GPO - Public Key Policy -Trusted Root Certification Authority" on
that domain - to implement smart card logon as in the article

http://support.microsoft.com/default.aspx?scid=kb;en-us;281245.

We have created the certificates (.p12 files) for the domain controllers -
they have the exact structure as in the Q281245 above article.

The smart card logon works!!!!

Every domain controller has a p12 file imported in the Certificates- Local
Computer - Personal container
But:

We have a problem with dsstore utility ...the command "dsstore -dcmon" on
all domain controllers with the option 2 (chain) gives me the error :
"Error line 241 No certs in Ent Root Store" ..like the domain controllers
have no certificates!!!


I have tested the same p12 files into another domain controller ( another AD
2003 domain) - and the same version of dsstore gives me no above error

Thank You,
Ovidiu
David Cross [MS]
2005-07-04 14:23:42 UTC
Permalink
Do not use dsstore.exe with a 2003 domain. PLease use certutil.exe from the
adminpak or PKI Health Tool from the resource kit:



Adminpak:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en



Resource kit:
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
Post by anonymous
Hello!
We have a third party CA.We have imported the certificate for the
certificate authority into the NTAuth container in AD (Windows 2003), we have
deployed a GPO - Public Key Policy -Trusted Root Certification Authority" on
that domain - to implement smart card logon as in the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245.
We have created the certificates (.p12 files) for the domain controllers -
they have the exact structure as in the Q281245 above article.
The smart card logon works!!!!
Every domain controller has a p12 file imported in the Certificates- Local
Computer - Personal container
We have a problem with dsstore utility ...the command "dsstore -dcmon" on
"Error line 241 No certs in Ent Root Store" ..like the domain controllers
have no certificates!!!
I have tested the same p12 files into another domain controller ( another AD
2003 domain) - and the same version of dsstore gives me no above error
Thank You,
Ovidiu
Loading...