Author: pertorben

CAWeb Enrollment error 403.14

The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to where he suggests to check that default.asp is located in the path C:\Windows\System32\CertSrv\en-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:\Windows\System32\CertSrv which is the parent folder, so as soon as I changed the path from C:\Windows\System32\CertSrv to C:\Windows\System32\CertSrv\en-US in IIS everything was ok.


Java security settings

Java 7u51 has been a headache so far with security settings, especially on a terminalserver. I needed to adjust the security setting for Java for all users on the terminalserver and add a website ( to the exception site list in Java.

The solution was to create 3 text files and place them all in the folder C:\Windows\Sun\Java\Deployment

filename: Deployment.config



filename: exception.sites

After these 3 textfiles are created, the new java settings till take effect at next logon, and you can verify it by looking at the security tab in java control panel.

Copy group membership in AD

To copy member from one group to another you can (of cource) use Powershell. This copies the members of Group1 into members of Group2.

Get-ADGroupMember -Identity “Group1” | ForEach-Object {Add-ADGroupMember -Identity “Group2” -Members $_.SamAccountName}

List installed certificates with Powershell

To list the installed certiifcates in the local computer store I use the following one-liner:

dir Cert:\LocalMachine\My | fl thumbprint, SerialNumber, Subject, NotBefore, NotAfter, Issuer

You can replace “LocalMachine” with “CurrentUser” to list certificates in the current user store.

How to easily boot into safe mode

In Windows Server 2012 the shutdown.exe command has a new switch, -o, which lets you control the behaviour of the next reboot. You can use this to boot straight into the boot menu and then select safe mode, last known good etc