2008R2 ADCSCAWE: Fixing ‘Error “DEFAULT WEB SITE/CERTSRV” ... default document is not configured...’
Scenario
We have a Windows Server 2008R2 SP1 Enterprise Member
server, with just the role: role service -
Active Directory
Certificate Services: Certification Authority
Image: AD CS with
Certification Authority Role Service Only
We install -
Active Directory
Certificate Services: Certification Authority Web Enrollment
- using the ‘Add Role Services’ wizard and default
selections, to install the ‘Web Server (IIS)’ role and required services.
Image: Add Role
Services
In ‘Internet Information Services (IIS) Manager’ we see
the web application ‘CertSrv’ and virtual directories - ‘CertEnroll’ and ‘en-US’.
Image: IIS Manager
showing CertSrv and Folders
But when we go to http://localhost/certsrv we encounter the error:
Server Error Application “DEFAULT WEB
SITE/CERTSRV”
HTTP Error 403.14 -
Forbidden
Most likely causes:
A default document is not configured...
Resolution
The fix came from a comment by Rexif in this
Microsoft Technet Forum Question - thanks Rexif (or should I say Fixer...)
Essentially - for some reason - the install has put the code in the wrong
directory!
1) Stop the Default Web Site
2) Copy all the contents from C:\Windows\system32\CertSrv\en-US and paste in C:\Windows\system32\CertSrv
3) Open the file ‘default.asp’
from C:\Windows\system32\CertSrv in
Notepad and edit the line that includes -
#include FILE="..\certdat.inc"
- to be:
#include FILE="certdat.inc"
Image: Edited CertSrv default.asp file
4) Start the Default Web Site
Internet Explorer
Settings for AD CS CA Web Enrollment
We can now connect to http://localhost/certsrv
Image: IE10 Web
Browser not Supporting Generation of Certificate Requests
If you’re using Internet Explorer 10, you might get the
error:
This Web browser
does not support the generation of certificate requests.
If so then, from the Tools
menu, click on ‘F12 developer tools’.
From the ‘Developer Tools’ panel at the bottom of IE10,
click on Browser Mode and Internet Explorer 10 Compatibility View:
Image: IE10
Developer Tools with IE10 Compatibility View Selected
Now the AD CS CA Web Enrollment site works!
THE END ... not quite!
The above gets http://localhost/certsrv working (it uses the
default.asp which we’ve edited), unfortunately, to get the whole site to work,
every ASP file has got to be edited similarly. Sort the contents of C:\Windows\System32\CertSrv
by type, and make the change to the FILE path for certdat.inc in each file.
Image: ASP Files in
CertSrv Folder
you missed a few files
ReplyDeletecertnew.p7b
certnew.cer
certcrl.crl
also need to be edited, or you will have issues downloading the certificate.