MSAD CA Windows Certificate server web enrollment 401 authentication error

Question

On machine A using Chrome I can login to /certsrv/ just fine

But on another machine also with Chrome (in-place upgrade to Win 11) the authentication popup does not accept correct (same) username/password & gives 401 on cancel

Anybody has any idea how to tackle it? (and please do use AI to answer, because that is complete BS!)

Seb

Answer 1

Hello Sebastian Cerazy,

Thank you for posting in Q&A forum.

A 401 typically indicates an issue with authentication settings or permissions. Here are some steps to troubleshoot this issue:

1. Check IIS Authentication Settings, ensure that Anonymous Authentication is enabled and other authentication methods such as Active Directory Client Certificate Authentication are disabled.
2. The CA Web Enrollment pages require HTTPS. Ensure that an appropriate SSL certificate is installed on the web server hosting the CA Web Enrollment pages
3. Check the permissions on the CA by opening the Certification Authority console, right-clicking the CA, and selecting Properties. Go to the Security tab and verify the permissions.
4. If the CA Web Enrollment role is hosted on a server other than the CA server, ensure that constrained delegation for Kerberos is enabled on the computer account of the server hosting the CAWE role.
5. Check the Event Viewer on the CA and the web server for any related error messages. Look under Windows Logs > Application and System for any relevant entries.

References:

Microsoft CA - Certificate Authority Web Enrollment Access Issue

Enable HTTPS Certificate Authority for Web Enrollment

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.