bill
Mon Nov 08 06:39:03 CST 2004
"Bernard" wrote:
> Now, that's something new !!
> you can configure 'Bypass traverse checking' for IIS_WPG group. this is
> default !
> read -
> Default permissions and user rights for IIS 6.0
Thanks. That's helpful.
Bill
>
http://support.microsoft.com/?id=812614
>
>
> --
> Regards,
> Bernard Cheah
>
http://www.tryiis.com/
>
http://support.microsoft.com/
>
http://www.msmvps.com/bernard/
>
>
>
> "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> news:2BEF50B2-A019-4AC3-A494-E60C9EA3BACB@microsoft.com...
> >
> >
> > "Bernard" wrote:
> >
> > > I haven't actually looking at Machinekeys folder when generating CSR.
> > > that is just a plain text file with encrypted detail of your server
> detail.
> > >
> > > have you actually repeat the export and import steps.
> > > from the log it looks like many detail is missing, I would remove
> > > the cert and redo again.
> >
> > No, we really do know how to create, import and apply certificates. It
> > turns out that the problem was that some account needs 'Bypass traverse
> > checking' rights for this to work. (I haven't figured out exactly which
> one
> > yet, at the moment I have it down to one of the following: SYSTEM,
> SERVICE,
> > LOCAL SERVICE, NETWORK SERVICE, IUSR..., IWAM...)
> >
> > It seems that changes between Windows 2000 Server and Windows 2003 Server
> > have greatly increased the number of accounts that must be allowed to
> bypass
> > traverse checking.
> >
> > Bill Bean
> >
> > >
> > > --
> > > Regards,
> > > Bernard Cheah
> > >
http://www.tryiis.com/
> > >
http://support.microsoft.com/
> > >
http://www.msmvps.com/bernard/
> > >
> > >
> > >
> > > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > > news:D0CB2E2F-3979-4702-9E75-EDC9EFB73A79@microsoft.com...
> > > >
> > > >
> > > > "Bernard" wrote:
> > > >
> > > > > This is very clear that :
> > > > > #WARNING: You DON'T have a private key that corresponds to this
> > > certificate
> > > > >
> > > > > when you export it, do you export the private key as well ?
> > > > >
> > > > > remove this cert, re-export with private key and import again.
> > > >
> > > > We did export with the private key. (We have done this before too :)
> The
> > > > diagnostic tool says that we DON'T have a private key but when we view
> the
> > > > certificate from the IIS Snap-in it says that "You have a private key
> that
> > > > corresponds to this certificate." Same if we view the certificate
> using
> > > the
> > > > Certificates Snap-in.
> > > >
> > > > Another symptom is that when we create the request on the 2003 server,
> the
> > > > certreq.txt file has a long string of A's in the middle. When we
> create
> > > the
> > > > request on another machine, it only has a short string of A's (maybe
> five
> > > or
> > > > six).
> > > >
> > > > When we create the request a file is created in C:\Documents and
> > > > Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
> I
> > > > thought that this was the private key?
> > > >
> > > > My guess - and it is just a guess - is that somehow the private key is
> > > being
> > > > created but that it is corrupt.
> > > >
> > > > Bill Bean
> > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Bernard Cheah
> > > > >
http://www.tryiis.com/
> > > > >
http://support.microsoft.com/
> > > > >
http://www.msmvps.com/bernard/
> > > > >
> > > > >
> > > > >
> > > > > "Bill Bean" <Bill Bean@discussions.microsoft.com> wrote in message
> > > > > news:08A07406-D8F0-4BDF-8D72-72A47948E147@microsoft.com...
> > > > > >
> > > > > >
> > > > > > "Jacqueline Jaynes [MSFT]" wrote:
> > > > > >
> > > > > > > The results from the SSLDiag basically say that the certificate
> is
> > > > > invalid.
> > > > > > > Run thru the following article:
> > > > > > >
http://support.microsoft.com/default.aspx?scid=KB;EN-US;228984
> > > > > > >
> > > > > > > It explains how to generate a certificate using Certificate
> > > Authority.
> > > > > >
> > > > > > We know how to generate certificate requests and issue the
> > > certificates.
> > > > > We
> > > > > > have done this many times. The problem is specific to the one
> Windows
> > > > > 2003
> > > > > > server (we have other Windows 2003 servers that work perfectly).
> We
> > > have
> > > > > > configured this server as a very secure bastion host. A similar
> > > > > > configuration on Windows 2000 worked without problems. But we are
> > > unable
> > > > > to
> > > > > > install a certificate successfully on the secure 2003 machine.
> > > > > >
> > > > > > We assume that this is a problem with ACLs or some other security
> > > setting.
> > > > > > We have tried to give the Everyone account administrator
> priviledges
> > > prior
> > > > > to
> > > > > > requesting/installing the certificate, to no avail.
> > > > > >
> > > > > > We have also run filemon to examine file access requests while we
> are
> > > > > > requesting/installing the certificate. We do not see any failed
> > > requests.
> > > > > >
> > > > > > We have also set auditing on all files to report failures, and
> don't
> > > find
> > > > > > any problems in the event logs.
> > > > > >
> > > > > > Any suggestions would be greatly appreciated.
> > > > > >
> > > > > > Bill Bean
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > Hope this helps
> > > > > > >
> > > > > > > Thank you,
> > > > > > >
> > > > > > > Jackie Jaynes [MSFT]
> > > > > > > Microsoft IIS
> > > > > > > JackieJa@online.microsoft.com
> > > > > > >
> > > > > > > Please do not send email directly to this alias. This
> > > > > > > is our online account name for newsgroup participation only.
> > > > > > >
> > > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > > > You assume all risk for your use. �© 2001 Microsoft
> Corporation.
> > > All
> > > > > rights
> > > > > > > reserved.
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>