I am trying to setup a CA so that I can issue certificates to machines trying to connect to my network via an L2TP VPN.

However, when using the web based enrollment procedure I often get half way through the process and then the page gets stuck saying,

downloading Active X control please wait.

It never finishes this procedure!!!!

Why is this?

Also is there another/better way, for people to get certificates so they can then connect to my VPN.

Thanks for the help
Nathan

unless you plan on using this for people you dont know... secure payments... and such....

if it is for employee work from home...

what m$ dont want to tell yo is you dont HAVE to enroll online. W2K adv server has everything to issue Certs. built right in. They just wont be registered with a service like verisign.


So client will ge a pop up everytimg asking if they trust this place. and if they click more info.. there will be none. But if it is for employees... they can adj the IE settings and choose ALWAYS TRYST THIS CERT. and no more popups. Just one more step on the client to say forget you M$ and Verisign.

-------------------------------------------------------
The step by step instructions are also on M$ technet. LOL. but they dont tell you out right. woudl hurt them $$!!


I dont have the KB article but if i find it i'll post it.
------------------------------------------------------

We had this setup (before i got there) for a VPN and a SLL for a web site. all for employees accessing data from home or off site. not for other people. If "strangers" are in on it... then you are on the hook for a "trusted" source.

:/

Good Luck

Thanks for that

I have looked into getting certificates the way you say.

It seems you must use the MMC certificates console to apply for a cert.

However, this isn't going to work if the people wanting to dial in via a VPN are never in the same location as the server.

Also any ideas why the Active X control won't ever finish downloading?

Thanks
Nathan

Originally posted by clarinathan
However, this isn't going to work if the people wanting to dial in via a VPN are never in the same location as the server.


Connect to the VPN once before they leave so they get the cert. and save it. (windows has a folder for trusted cert's... you cn even inport them.)

The downside, is you have to assign "static" certs. to each client before they leave out the door for the 1st time. You get into the issuse of administrative overhead to maintain the databse of who has what cert id... (like static ips on a LAN)

But if you only have 10-15 roaming clients.. do it for them... and the rest allow for dynamic allocation.

--------------------------
Active X control... check the IE security settings...
Set it to low... do the thing... change back to mid-high.

if that dont work... reload. :)

Hi,

Just to let people know,

I have discovered why the activex control wouldn't load.

It was a mismatched version.

See KB Q323172

Thanks Nathan