didier wenger

Hi there,

Under Windows Server 2003, I've created a CAPolicy.inf file with the
following lines :

[Version]
Signature="$Windows NT$"

[CRLDistributionPoint]
URL=ldap:///CN=TestCA,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=Test,DC=M yDomain,DC=Com?certificate
RevocationList?base?objectclass=cRLDistributionPoi nt

[AuthorityInformationAccess]
URL=ldap:///CN=TestCA,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=Test,DC=M yDomain,DC=Com?caCertifica
te?base?objectclass=certificatioinAuthority"

Then I installed the CA service and the certificate has been generated with
the correct URL's mentionned above. Now my only problem is that when a
client tries to log on I always receive the same "credentials could not be
verified" message.

I tried the "certutil -verify" command from the client PC to make sure that
both URL's are correct and in both cases the command completes successfully.
Now I have some doubts about those extension points, is it possible to have
a single point of distribution (LDAP based) for it ? Is it a must to have at
least an http:// URL for the CRL/AIA file ?

Thank you very much in advance for your help,
Didier

didier wenger

Sorry, copy & paste error :-)

[AuthorityInformationAccess]


Services,CN=Services,CN=Configuration,DC=Test,DC=M yDomain,DC=Com?caCertifica

david cross [ms]

Is this a single level hierarchy only? It is not necessary to have an HTTP
AIA or CDP. Does the domain controllers also have valid certificates?

This paper can help you review all the steps and best practices for
configuration:


Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com