2008R2 ADCSCAWE: Fixing ‘Error “DEFAULT WEB SITE/CERTSRV” ... default document is not configured...’

Scenario

We have a Windows Server 2008R2 SP1 Enterprise Member server, with just the role: role service -

Active Directory Certificate Services: Certification Authority

Image: AD CS with Certification Authority Role Service Only
We install -

Active Directory Certificate Services: Certification Authority Web Enrollment

- using the ‘Add Role Services’ wizard and default selections, to install the ‘Web Server (IIS)’ role and required services.

Image: Add Role Services
In ‘Internet Information Services (IIS) Manager’ we see the web application ‘CertSrv’ and virtual directories - ‘CertEnroll’ and ‘en-US’.

Image: IIS Manager showing CertSrv and Folders
But when we go to http://localhost/certsrv we encounter the error:

Server Error Application “DEFAULT WEB SITE/CERTSRV”
HTTP Error 403.14 - Forbidden
Most likely causes: A default document is not configured...

Resolution

The fix came from a comment by Rexif in this Microsoft Technet Forum Question - thanks Rexif (or should I say Fixer...) Essentially - for some reason - the install has put the code in the wrong directory!

1) Stop the Default Web Site
2) Copy all the contents from C:\Windows\system32\CertSrv\en-US and paste in C:\Windows\system32\CertSrv
3) Open the file ‘default.asp’ from C:\Windows\system32\CertSrv in Notepad and edit the line that includes -

#include FILE="..\certdat.inc"

- to be:

#include FILE="certdat.inc"

Image: Edited CertSrv default.asp file
4) Start the Default Web Site

Internet Explorer Settings for AD CS CA Web Enrollment

We can now connect to http://localhost/certsrv

Image: IE10 Web Browser not Supporting Generation of Certificate Requests
If you’re using Internet Explorer 10, you might get the error:

This Web browser does not support the generation of certificate requests.

If so then, from the Tools menu, click on ‘F12 developer tools’.
From the ‘Developer Tools’ panel at the bottom of IE10, click on Browser Mode and Internet Explorer 10 Compatibility View:

Image: IE10 Developer Tools with IE10 Compatibility View Selected
Now the AD CS CA Web Enrollment site works!

THE END ... not quite!

The above gets http://localhost/certsrv working (it uses the default.asp which we’ve edited), unfortunately, to get the whole site to work, every ASP file has got to be edited similarly. Sort the contents of C:\Windows\System32\CertSrv by type, and make the change to the FILE path for certdat.inc in each file.

Image: ASP Files in CertSrv Folder

Comments

  1. you missed a few files
    certnew.p7b
    certnew.cer
    certcrl.crl

    also need to be edited, or you will have issues downloading the certificate.

    ReplyDelete

Post a Comment