I've recently set up a new Windows 2012 R2 Enterprise SHA2 issuing CA to replace an old Windows 2008 R2 SHA1 issuing CA. This also has Web Enrollment installed as is accessed by the public so all DNS records in place to contact this over web along with trusted certificates. All appears to have gone well other than when testing the final stage of requesting a certificate. Upon submitting the request form the following error is displayed:
Request Mode: newreq - New Request
Disposition: (never set)
Disposition message: (none)
Result: No mapping between account names and security IDs was done. 0x80070534 (WIN32: 1332 ERROR_NONE_MAPPED)
COM Error Info: CCertRequest::Submit: No mapping between account names and security IDs was done. 0x80070534 (WIN32: 1332 ERROR_NONE_MAPPED)
LastStatus: No mapping between account names and security IDs was done. 0x80070534 (WIN32: 1332 ERROR_NONE_MAPPED)
Suggested Cause: No suggestions.
The last section is my favorite and most helpful....!
Investigating this error so far has indicated that this is due to having anonymous authentication enabled on the certsrv site within IIS but this is a public facing CA and don't want clients to be challenged/prompted for credentials as they won't have any to use in the first place. Also, the previous SHA1 CA had only anonymous authentication enabled and had no challenge appear so can't see why this one's any different.
Any ideas?
this is a public facing CA and don't want clients to be challenged/prompted for credentials as they won't have any
.I believe a Standalone CA would be more appropriate.
An Enterprise Certificate Authority enforces credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested.
It may be possible to put the square peg in the round hole by granting permission to Everyone, and setting the Windows security option "Network access: Let Everyone permissions apply to anonymous users", but that would be unorthodox.