F
FDDCH
Dear All,
I have installed a Certificate Authority on a Windows Server 2012 R2 Datacentre server, including Web Enrolment. I have added a new Certificate Template called "Test User", and removed the default User template (I do not want users to be able to use that one, only the "Test User" one). The "Test User" template works fine and the CA issues them without any problem.
I would like to customize the Web Enrolment webpages to give them "Test User" as the default certificate template to use (in page certrqus.asp), so I edited the C:\Windows\System32\certsrv\en-US\certrqtp.inc to be
<%' CODEPAGE=65001 'UTF-8%>
<%' certrqtp.inc - (CERT)srv web - (R)e(Q)uest, available (T)y(P)es
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<%
' NOTE: certdat.inc must be included first!
Dim nAvailReqTypes
Dim rgAvailReqTypes(1,5)
Dim sUserAgent
Const FIELD_OID=0
Const FIELD_TEMPLATE=0
Const FIELD_FRIENDLYNAME=1
Const FIELD_CSPLIST=2
Const FIELD_CSPLIST2=3
Const FIELD_EXPORTABLE=4
' Strings for localization
Const L_WebBrowserCert_Text="Web Browser Certificate"
Const L_EmailProtectionCert_Text="E-Mail Protection Certificate"
Const L_UserTemplateCert_Text="Test User Certificate" 'Note: should match localized name of 'User' template and certrqma.asp's localized string L_TemplateCert_Text
If "StandAlone"=sServerType Then
'
' Request types for stand alone
'
rgAvailReqTypes(0,FIELD_OID)="1.3.6.1.5.5.7.3.2"
rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_WebBrowserCert_Text
rgAvailReqTypes(0,FIELD_CSPLIST)=""
rgAvailReqTypes(1,FIELD_OID)="1.3.6.1.5.5.7.3.4"
rgAvailReqTypes(1,FIELD_FRIENDLYNAME)=L_EmailProtectionCert_Text
rgAvailReqTypes(1,FIELD_CSPLIST)=""
nAvailReqTypes=2
Else
'
' Request types for enterprise
'
rgAvailReqTypes(0,FIELD_TEMPLATE)="Test User"
rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text
rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0"
rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Enhanced Cryptographic Provider v1.0"
rgAvailReqTypes(0,FIELD_EXPORTABLE)="True"
nAvailReqTypes=1
End If
%>
I am afraid this did not work:
1) without the default User certificate template allowed, the Web Enrolment pages do not give me the option to click on "Test User" to automatically obtain the certificate (it goes straight to page certrqad.asp);
2) with the default User template allowed, the Web Enrolment pages give me the "Test User" option, but if I go through with it there is an error ("Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Test User") as it seems the pages are still trying to use the User template instead of the "Test User" template.
It seems to me that some other configuration needs to be changed apart from C:\Windows\System32\certsrv\en-US\certrqtp.inc; does anyone know which?
Hoping to hear from you soon.
Yours,
FD
Continue reading...
I have installed a Certificate Authority on a Windows Server 2012 R2 Datacentre server, including Web Enrolment. I have added a new Certificate Template called "Test User", and removed the default User template (I do not want users to be able to use that one, only the "Test User" one). The "Test User" template works fine and the CA issues them without any problem.
I would like to customize the Web Enrolment webpages to give them "Test User" as the default certificate template to use (in page certrqus.asp), so I edited the C:\Windows\System32\certsrv\en-US\certrqtp.inc to be
<%' CODEPAGE=65001 'UTF-8%>
<%' certrqtp.inc - (CERT)srv web - (R)e(Q)uest, available (T)y(P)es
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<%
' NOTE: certdat.inc must be included first!
Dim nAvailReqTypes
Dim rgAvailReqTypes(1,5)
Dim sUserAgent
Const FIELD_OID=0
Const FIELD_TEMPLATE=0
Const FIELD_FRIENDLYNAME=1
Const FIELD_CSPLIST=2
Const FIELD_CSPLIST2=3
Const FIELD_EXPORTABLE=4
' Strings for localization
Const L_WebBrowserCert_Text="Web Browser Certificate"
Const L_EmailProtectionCert_Text="E-Mail Protection Certificate"
Const L_UserTemplateCert_Text="Test User Certificate" 'Note: should match localized name of 'User' template and certrqma.asp's localized string L_TemplateCert_Text
If "StandAlone"=sServerType Then
'
' Request types for stand alone
'
rgAvailReqTypes(0,FIELD_OID)="1.3.6.1.5.5.7.3.2"
rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_WebBrowserCert_Text
rgAvailReqTypes(0,FIELD_CSPLIST)=""
rgAvailReqTypes(1,FIELD_OID)="1.3.6.1.5.5.7.3.4"
rgAvailReqTypes(1,FIELD_FRIENDLYNAME)=L_EmailProtectionCert_Text
rgAvailReqTypes(1,FIELD_CSPLIST)=""
nAvailReqTypes=2
Else
'
' Request types for enterprise
'
rgAvailReqTypes(0,FIELD_TEMPLATE)="Test User"
rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text
rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0"
rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Enhanced Cryptographic Provider v1.0"
rgAvailReqTypes(0,FIELD_EXPORTABLE)="True"
nAvailReqTypes=1
End If
%>
I am afraid this did not work:
1) without the default User certificate template allowed, the Web Enrolment pages do not give me the option to click on "Test User" to automatically obtain the certificate (it goes straight to page certrqad.asp);
2) with the default User template allowed, the Web Enrolment pages give me the "Test User" option, but if I go through with it there is an error ("Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Test User") as it seems the pages are still trying to use the User template instead of the "Test User" template.
It seems to me that some other configuration needs to be changed apart from C:\Windows\System32\certsrv\en-US\certrqtp.inc; does anyone know which?
Hoping to hear from you soon.
Yours,
FD
Continue reading...