Re: Error enrolling machine certs

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/14/05 

Date: Thu, 14 Apr 2005 02:32:48 -0500

Hmm. V2 templates would be available but in order to use a V2 template for
computers you have to create one by copying a V1 template and then naming
and configuring the new V2 template to your needs. You can do such by right
clicking certificate templates and selecting manage in the CA Management
Console. Still I would think that you could request a V1 template for
computer. Make sure the certificate template you are using is available as
shown under "certificate templates" in the CA Management Console for the CA
that you want to issue them. I have created V2 templates myself and then
forgot to make them available to issue. You need to be logged onto a
computer as a local admin to request a computer certificate either through
mmc or Web Enrollment. I would try testing with a different certificate
template such as workstation to see if that works. Also try giving
authenticated users read/enroll/autoenrollment to see if that makes a
difference for whatever reason. The link below is what I found at MS for one
of your event ID's. --- Steve

http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=autoenrollment&EvtID=13&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2
or
http://tinyurl.com/5lrwa

"froowstie" <smeg@smeg.com> wrote in message
news:%23PczODMQFHA.3156@TK2MSFTNGP15.phx.gbl...
> Auto-enrollment is enabled as default for all machines in the domain, and
> the policy is applying. However we can't auto-enroll or request a cert
> manually.
>
> The domain computers group already has read/enroll/auto-enroll for the
> certs. However, it should be noted ALL machine certs are failing to
> enroll, not just the one we've created.
>
> We're using W2k3 Enterprise Edition so I'm assuming v2 certs are in place?
>
> The request is not getting as far as the CA in that nothing is logged in
> the CA management console to reflect the cert request.
>
> Any other thoughts?
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:e3l5V8LQFHA.244@TK2MSFTNGP12.phx.gbl...
>> Make sure that you have enable autoenrollment via Group Policy for
>> computer configuration and that the computers are within the scope of
>> influence of the policy. Either authenticated users or a global group
>> that includes your computer accounts needs to have read/enroll/autoenroll
>> permissions for the computer certificate template and it needs to be the
>> same group for all those permissions which is unlike what we normally see
>> for ntfs permissions. For autoenrollment you either need to use a version
>> 2 certificate template copied from a version 1 certificate template OR
>> you can use a version 1 template and configure "automatic request" via
>> Group Policy which also will work for Windows 2000 computers. It may also
>> help to look in the CA Management Console to look at failed requests to
>> see if there is any helpful or more explicit information recorded
>> here. --- Steve
>>
>>
>> "froowstie" <smeg@smeg.com> wrote in message
>> news:eu$aHRLQFHA.3880@tk2msftngp13.phx.gbl...
>>> Hey there,
>>>
>>> We've setup a new PKI infrastructure in the lab. We have a standalone
>>> Root CA and a subordinate enterprise CA. The issue is that our XP
>>> clients are unable to enroll machine certificates, either manually
>>> through the Certificates snap-in or via auto-enrollment. The following
>>> error is generated on request in the Application event log:
>>>
>>> Event ID: 13
>>> Type: Warning
>>> Source: AutoEnrollment
>>> Description: Automatic certificate enrollment for local system failed to
>>> enroll for one Domain Controller Authentication certificate
>>> (0x80070005). Access is denied.
>>>
>>> We then enabled enhanced auto enrollment logging via the registry on the
>>> client and the following error showed in the registry.
>>>
>>> Event ID: 17
>>> Source: AutoEnrollment
>>> Description: Automatic certificate enrollment for local system failed to
>>> enroll for one TEST certificate from Certificate Authority Test SUB CA
>>> on CA2.sampledomain.org (0x8007005). Access is denied. Another
>>> certificate authority will be contacted.
>>>
>>> We've specified that the domain computers group have full access to the
>>> published certs. Enrollment for user certs is working fine.
>>>
>>> It seems like some sort of permissions issue, but I'm not sure if it's
>>> related to the client, the Enterprise CA or AD. Any help would be
>>> appreciated.
>>>
>>> Cheers, James.
>>>
>>
>>
>
>

Relevant Pages

  • Re: Automatically change title of routed file?
    ... document with a filename constructed from the string "Material Code ... > I'd like to set up a template which is a request form which needs input ... > material (solvent A). ...
    (microsoft.public.word.docmanagement)
  • Re: IIS cert denied
    ... Start the Certificate Services service. ... Grant Read and Enroll access for the template to the appropriate user ... > I am using Server 2003 and was trying to create a new cert ... When I finish and the request is just about to be ...
    (microsoft.public.inetserver.iis.security)
  • Re: Does a method exist to Embed a long string into VB6 as a constant?
    ... I want to embed the template into the compliled code. ... The request is just ... The string can be built from simple assignments and from constants. ... The difference between the two is the handling of white space (spaces and ...
    (microsoft.public.vb.general.discussion)
  • Re: Certificates for l2tp VPN
    ... "IPSec offline request" template, the certificate is in the Local ... canīt install the correct certificate to make it work. ...
    (microsoft.public.win2000.security)
  • Re: Struts RequestAware and FreeMarker
    ... private Map Session = null; ... return Session; ... return Request; ... In the template file I use the following to access the Session Map: ...
    (comp.lang.java.programmer)