2008R2 ADCSCAWE: Fixing ‘Error “DEFAULT WEB SITE/CERTSRV” ... default document is not configured...’

Scenario

We have a Windows Server 2008R2 SP1 Enterprise Member server, with just the role: role service -

Active Directory Certificate Services: Certification Authority

Image: AD CS with Certification Authority Role Service Only
We install -

Active Directory Certificate Services: Certification Authority Web Enrollment

- using the ‘Add Role Services’ wizard and default selections, to install the ‘Web Server (IIS)’ role and required services.

Image: Add Role Services
In ‘Internet Information Services (IIS) Manager’ we see the web application ‘CertSrv’ and virtual directories - ‘CertEnroll’ and ‘en-US’.

Image: IIS Manager showing CertSrv and Folders
But when we go to http://localhost/certsrv we encounter the error:

Server Error Application “DEFAULT WEB SITE/CERTSRV”
HTTP Error 403.14 - Forbidden
Most likely causes: A default document is not configured...

Resolution

The fix came from a comment by Rexif in this Microsoft Technet Forum Question - thanks Rexif (or should I say Fixer...) Essentially - for some reason - the install has put the code in the wrong directory!

1) Stop the Default Web Site
2) Copy all the contents from C:\Windows\system32\CertSrv\en-US and paste in C:\Windows\system32\CertSrv
3) Open the file ‘default.asp’ from C:\Windows\system32\CertSrv in Notepad and edit the line that includes -

#include FILE="..\certdat.inc"

- to be:

#include FILE="certdat.inc"

Image: Edited CertSrv default.asp file
4) Start the Default Web Site

Internet Explorer Settings for AD CS CA Web Enrollment

We can now connect to http://localhost/certsrv

Image: IE10 Web Browser not Supporting Generation of Certificate Requests
If you’re using Internet Explorer 10, you might get the error:

This Web browser does not support the generation of certificate requests.

If so then, from the Tools menu, click on ‘F12 developer tools’.
From the ‘Developer Tools’ panel at the bottom of IE10, click on Browser Mode and Internet Explorer 10 Compatibility View:

Image: IE10 Developer Tools with IE10 Compatibility View Selected
Now the AD CS CA Web Enrollment site works!

THE END ... not quite!

The above gets http://localhost/certsrv working (it uses the default.asp which we’ve edited), unfortunately, to get the whole site to work, every ASP file has got to be edited similarly. Sort the contents of C:\Windows\System32\CertSrv by type, and make the change to the FILE path for certdat.inc in each file.

Image: ASP Files in CertSrv Folder

Comments

  1. you missed a few files
    certnew.p7b
    certnew.cer
    certcrl.crl

    also need to be edited, or you will have issues downloading the certificate.

    ReplyDelete
  2. Different codebases must be maintained.In instance of web application, clients consistently get the most recent rendition. 토토사이트

    ReplyDelete
  3. We cater to all levels of site development from small business sites to large e-commerce websites. web development agency in usa

    ReplyDelete
  4. I have been exploring for a little for any high quality articles or blog posts in this kind of area . Exploring in Yahoo I ultimately stumbled upon this web site. Reading this information So i¡¦m glad to show that I have an incredibly good uncanny feeling I came upon exactly what I needed. I such a lot indubitably will make certain to don¡¦t forget this web site and give it a look a relentless basis. website design san francisco

    ReplyDelete
  5. Hey man, .This was an excellent page for such a hard subject to talk about. I look forward to reading many more great posts like these. Thanks web design company san francisco

    ReplyDelete
  6. baby books should have as many pictures as possible because babies like to see pictures., website design la

    ReplyDelete

Post a comment