Re: Error enrolling machine certs
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/14/05
- Next message: froowstie: "Re: Error enrolling machine certs"
- Previous message: Steven L Umbach: "Re: DHCP IP and PC name info - if not good new group plz redirect me (sorry !!!)"
- In reply to: froowstie: "Error enrolling machine certs"
- Next in thread: froowstie: "Re: Error enrolling machine certs"
- Reply: froowstie: "Re: Error enrolling machine certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 01:56:29 -0500
Make sure that you have enable autoenrollment via Group Policy for computer
configuration and that the computers are within the scope of influence of
the policy. Either authenticated users or a global group that includes your
computer accounts needs to have read/enroll/autoenroll permissions for the
computer certificate template and it needs to be the same group for all
those permissions which is unlike what we normally see for ntfs permissions.
For autoenrollment you either need to use a version 2 certificate template
copied from a version 1 certificate template OR you can use a version 1
template and configure "automatic request" via Group Policy which also will
work for Windows 2000 computers. It may also help to look in the CA
Management Console to look at failed requests to see if there is any helpful
or more explicit information recorded there. --- Steve
"froowstie" <smeg@smeg.com> wrote in message
news:eu$aHRLQFHA.3880@tk2msftngp13.phx.gbl...
> Hey there,
>
> We've setup a new PKI infrastructure in the lab. We have a standalone Root
> CA and a subordinate enterprise CA. The issue is that our XP clients are
> unable to enroll machine certificates, either manually through the
> Certificates snap-in or via auto-enrollment. The following error is
> generated on request in the Application event log:
>
> Event ID: 13
> Type: Warning
> Source: AutoEnrollment
> Description: Automatic certificate enrollment for local system failed to
> enroll for one Domain Controller Authentication certificate (0x80070005).
> Access is denied.
>
> We then enabled enhanced auto enrollment logging via the registry on the
> client and the following error showed in the registry.
>
> Event ID: 17
> Source: AutoEnrollment
> Description: Automatic certificate enrollment for local system failed to
> enroll for one TEST certificate from Certificate Authority Test SUB CA on
> CA2.sampledomain.org (0x8007005). Access is denied. Another certificate
> authority will be contacted.
>
> We've specified that the domain computers group have full access to the
> published certs. Enrollment for user certs is working fine.
>
> It seems like some sort of permissions issue, but I'm not sure if it's
> related to the client, the Enterprise CA or AD. Any help would be
> appreciated.
>
> Cheers, James.
>
- Next message: froowstie: "Re: Error enrolling machine certs"
- Previous message: Steven L Umbach: "Re: DHCP IP and PC name info - if not good new group plz redirect me (sorry !!!)"
- In reply to: froowstie: "Error enrolling machine certs"
- Next in thread: froowstie: "Re: Error enrolling machine certs"
- Reply: froowstie: "Re: Error enrolling machine certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
