Windows 2003 Certificate Authority

First post in an Oracle blog and its about. . . the Windows 2003 Server Certificiate Authority.

Long story short: have to setup a test network to develop a reduced sign-on solution for an Oracle Forms application. User's use smart cards to log on to the network, so the test network has to be the same. Windows 2003 Standard Server is the domain controller. Several weeks ago, a co-worker installed the Certificate Authority and successfully implmented smart card logins for the domain. Then I came along, working another problem, and removed Certificate Authority using the Windows Add/Remove Programs tool.

Turn's out it's a little more complicated than that.

After several reinstallations, lots of googling, and more Microsoft KB and TechNet articles than I want to remember, I found How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server. I followed all the steps, reinstalled Certificate Authority, set up my enrollement station, created a smart card and still couldn't login, although I was getting a different error message than the ". . . credential retrieval failed" I had been getting. This error directed me the Windows event viewer, where I discoverd the KDC (Key Distribution Center) was complaining the Root certificate was untrusted. This confirmed my earlier suspicison that Active Directory was using an old Root certificate to authenticate the smart card against. However, after I followed the decommissioning guidelines, the KDC was still complaining.

So I googled some more, swore so more, and finally used this command:

certutil -pulse

This loaded the Certificate Authority root certificate into all the domain stores - I think. Whatever it did, I can now log on to the domain using a smart card.

Now, back to Oracle and a malfunctioning Forms Servlet. . .