Re: Error enrolling machine certs
From: S. Pidgorny
Date: 04/14/05
- Previous message: Mathew: "Re: DHCP IP and PC name info - if not good new group plz redirect me (sorry !!!)"
- In reply to: Steven L Umbach: "Re: Error enrolling machine certs"
- Next in thread: froowstie: "Re: Error enrolling machine certs"
- Reply: froowstie: "Re: Error enrolling machine certs"
- Reply: Steven L Umbach: "Re: Error enrolling machine certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 19:00:26 +1000
Steven,
Note that - from the original problem description - Windows XP clients are
failing to enroll using Domain Controller template. That is not normal.
The second event says "access denied". I would verify access to the
certificate templates and to the certificate services - everything that can
be ACLed incorrectly. From memory, there are two places to look at?
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message news:ejAYoQMQFHA.1528@TK2MSFTNGP09.phx.gbl... > Hmm. V2 templates would be available but in order to use a V2 template for > computers you have to create one by copying a V1 template and then naming > and configuring the new V2 template to your needs. You can do such by right > clicking certificate templates and selecting manage in the CA Management > Console. Still I would think that you could request a V1 template for > computer. Make sure the certificate template you are using is available as > shown under "certificate templates" in the CA Management Console for the CA > that you want to issue them. I have created V2 templates myself and then > forgot to make them available to issue. You need to be logged onto a > computer as a local admin to request a computer certificate either through > mmc or Web Enrollment. I would try testing with a different certificate > template such as workstation to see if that works. Also try giving > authenticated users read/enroll/autoenrollment to see if that makes a > difference for whatever reason. The link below is what I found at MS for one > of your event ID's. --- Steve > > http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=autoenrollment&EvtID=13&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2 > or > http://tinyurl.com/5lrwa > > > "froowstie" <smeg@smeg.com> wrote in message > news:%23PczODMQFHA.3156@TK2MSFTNGP15.phx.gbl... > > Auto-enrollment is enabled as default for all machines in the domain, and > > the policy is applying. However we can't auto-enroll or request a cert > > manually. > > > > The domain computers group already has read/enroll/auto-enroll for the > > certs. However, it should be noted ALL machine certs are failing to > > enroll, not just the one we've created. > > > > We're using W2k3 Enterprise Edition so I'm assuming v2 certs are in place? > > > > The request is not getting as far as the CA in that nothing is logged in > > the CA management console to reflect the cert request. > > > > Any other thoughts? > > > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message > > news:e3l5V8LQFHA.244@TK2MSFTNGP12.phx.gbl... > >> Make sure that you have enable autoenrollment via Group Policy for > >> computer configuration and that the computers are within the scope of > >> influence of the policy. Either authenticated users or a global group > >> that includes your computer accounts needs to have read/enroll/autoenroll > >> permissions for the computer certificate template and it needs to be the > >> same group for all those permissions which is unlike what we normally see > >> for ntfs permissions. For autoenrollment you either need to use a version > >> 2 certificate template copied from a version 1 certificate template OR > >> you can use a version 1 template and configure "automatic request" via > >> Group Policy which also will work for Windows 2000 computers. It may also > >> help to look in the CA Management Console to look at failed requests to > >> see if there is any helpful or more explicit information recorded > >> here. --- Steve > >> > >> > >> "froowstie" <smeg@smeg.com> wrote in message > >> news:eu$aHRLQFHA.3880@tk2msftngp13.phx.gbl... > >>> Hey there, > >>> > >>> We've setup a new PKI infrastructure in the lab. We have a standalone > >>> Root CA and a subordinate enterprise CA. The issue is that our XP > >>> clients are unable to enroll machine certificates, either manually > >>> through the Certificates snap-in or via auto-enrollment. The following > >>> error is generated on request in the Application event log: > >>> > >>> Event ID: 13 > >>> Type: Warning > >>> Source: AutoEnrollment > >>> Description: Automatic certificate enrollment for local system failed to > >>> enroll for one Domain Controller Authentication certificate > >>> (0x80070005). Access is denied. > >>> > >>> We then enabled enhanced auto enrollment logging via the registry on the > >>> client and the following error showed in the registry. > >>> > >>> Event ID: 17 > >>> Source: AutoEnrollment > >>> Description: Automatic certificate enrollment for local system failed to > >>> enroll for one TEST certificate from Certificate Authority Test SUB CA > >>> on CA2.sampledomain.org (0x8007005). Access is denied. Another > >>> certificate authority will be contacted. > >>> > >>> We've specified that the domain computers group have full access to the > >>> published certs. Enrollment for user certs is working fine. > >>> > >>> It seems like some sort of permissions issue, but I'm not sure if it's > >>> related to the client, the Enterprise CA or AD. Any help would be > >>> appreciated. > >>> > >>> Cheers, James. > >>> > >> > >> > > > > > >
- Previous message: Mathew: "Re: DHCP IP and PC name info - if not good new group plz redirect me (sorry !!!)"
- In reply to: Steven L Umbach: "Re: Error enrolling machine certs"
- Next in thread: froowstie: "Re: Error enrolling machine certs"
- Reply: froowstie: "Re: Error enrolling machine certs"
- Reply: Steven L Umbach: "Re: Error enrolling machine certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
