Virtual Server 2005 and Service Principal Names (SPN)

I recently had to warnings in the Virtual Server log on my Virtual Server 2005 R2 host:
Type:         Warning
Event:        1130
Date Time:    27.06.2007 22:28:42
Source:       Virtual Server
ComputerName: HOME-VSHOST
Category:     Virtual Server
User:         NT AUTHORITYNETWORK SERVICE
Description:  The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually.  Error 0x800706ba – The RPC server is unavailable.
Type:         Warning
Event:        1029
Date Time:    27.06.2007 22:28:42
Source:       Virtual Server
ComputerName: HOME-VSHOST
Category:     Remote Control
User:         NT AUTHORITYNETWORK SERVICE
Description:  The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication.  Error 0x800706ba – The RPC server is unavailable.
For some reason, the Virtual Server service, running as Network Service, was unable to add the necessary Service Principal Names (SPN) to the computer object of the Virtual Server host in Active Directory. This is a known problem when Virtual Server is running on a Domain Controller (http://support.microsoft.com/kb/890893/en-us), but this machine was a member server.
To resolve this problem you run the following commands:
setspn -A vmrc/<NetBIOS name of VS machine>:5900 <NetBIOS name of VS machine>
setspn -A vmrc/<FQDN of VS machine>:5900 <NetBIOS name of VS machine>
setspn -A vssrvc/<NetBIOS name of VS machine> <NetBIOS name of VS machine>
setspn -A vssrcv/<FQDN of VS machine> <NetBIOS name of VS machine>
Restart the Virtual Server service and the errors should be gone.

More on certificates; you cannot use the Certificate Services Web enrollment pages together with Windows Vista

Continuing my posts about the strange world of PKI and certificates.
Today I browsed over to my CA using my Windows Vista Ultimate machine. Only to receive this message:
ERROR:
The certificate enrollment page you are attempting to access cannot be used with this version of Windows. To enable Web certificate enrollment for clients running Windows Vista, your administrator must update all Windows CA Web enrollment pages. To learn more about this issue and the steps needed to update Web enrollment pages to support all versions of Windows, see:
Turns out that you have to copy the Web Enrollement pages from Longhorn Server (Windows Server 2008) to use Vista and web enrollement.

Requesting Web Server certificates from an Enterprise CA

One of the things I have never been able to figure out, is why you cannot request a certificate based on the Web Server template from a Windows Enterprise CA when you are using the CA web pages (<servername>/CertSrv). Ever since Windows 2000 I have occationally stumbeled on this problem but never had time to really investigate it. I still have not found out why the Web Server template is unavailabe, but I have found a workaround.
By using the certreq.exe utility you can successfully request and receive a certificate from an Enterprise CA. The command you use is:
certreq -submit -attrib “CertificateTemplate:WebServer” <request_file>
The request file is any text file (.cer, .req etc.) that contains the Base64 encoded certificate request generated by your server. Typically a web server. When you run this command you are prompted to select the CA from which you would like to request the certificate and the name of the file in which to save the issued certificate. You can also specify these options on the command line.
Since this works, the problem must lie in the CA web pages. If anyone has an explanations as to what may be the problem I would be very interested.
The reason that I went a little further in trying to crack this problem this time, was that I was setting up my Virtual Server host and was unable to get a certificate for the Virtual Machine Remote Console (VMRC). The administration web pages for Virtual Server cannot send a certificate request directly to an online CA, but rather have to generate a Base64 encoded request which you have to submit to your CA manually and then upload the issued certificate to Virtual Server. Using the above command I was finally able to get a certificate. For those of you wondering; no you cannot use one of the certificates that the computer running Virtual Server has in its certificate store. Virtual Server runs under the Network Serivce account which does not have access to those certificates. Some more information about the exact reason for this is availabe here:
Finally, the SSL certificate for the Virtual Server administration site itself can be retreived in IIS using the request new certificate option.