Hello, I can't complete an enrollment "on behalf" of another user : - My SmartCard enrollment workflow doesn't include any data collection or OTP distribution - "AdminUser1" makes an enrollment request for "AdminUser2" (both of them are Enterprise Admins - to avoid ACLs issues) - The request is correctly initialized - At the summary page of the request (status : approved) I can only click "OK" (I can't execute the request) - When I logon as "AdminUser2" : this user can see and then execute the FIM CM request. At the certificate request step (right after defining the PIN) : I have the following error : "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied" If I keep "Certificate Request Agent" as Application policy for my user certificate template (Issuance Requirements Tab), I have exactly the same error (Configuration information ...) with an autoenrollment workflow. If I remove it, then my autoenrollment succeeds. So is this related to a problem with my enrollment agent account ? (I checked required permissions for this account, it has a certificate in personal store - I tried both on the FIM Server and CA Server, the certificate hash is configured in Web.config) Does anyone have an idea what that could be ? Thanks in advance !

A little bit confusing: as I understand you correctly to try to implement a centralized model (enrollment on behalf), but execute the request as a Self-Service model (AdminUser2 can execute). You may review your configuration according to this post /Hope this helps Matthias

Yes, AdminUser2 can execute because he is in the same AD group (Enterprise Admins) that is specified in the CM Enroll policy: "Initiate Enroll request" and "Enroll agent for requests". But my first problem is : why AdminUser1 can't execute the request? Any suggestion is more than welcome! Thanks,

Have you checked if in your CM profile template that Self service is disabled and Enrollment Agent required is enabled? /Matthias

Yes this is how my CM Enroll policy is configured (also there's no data collection) Thanks.

Which certificate template did you configure in the FIM CM profile template? Can you post the permissions you configured on the 5 magic FIM CM points? 1. Service Connection Point 2. Smartcard profile template 3. Certificate template 4. Target User group 5. CM Enroll policy: "Initiate Enroll request" and "Enroll agent for requests" BTW: You should rather use groups (global or universal, not domain local) than user objects to deploy the permissions /Matthias

I re-configured the 5 magic FIM CM points using groups instead of using the Domains Admins accounts. Now I can execute the request using a certificate manager account. But I have another error right after executing the request: “Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. 0x80070547 (WIN32: 1351). The request was for MYDOMAIN\MyUser. Additional information: Denied by Policy Module” I use a duplicate of the default "Smartcard Logon” template. The specific configurations that I have are the following: 1. Require Base CSP as provider for certificate requests 2. Include symmetric algorithms allowed by the subject 3. In the “Issuance Requirements” tab : - This number of authorized signatures: 1 - Policy type required in signature: Application policy - Application policy: Certificate Request Agent If I don’t configure the “Issuance Requirements” tab : the enrolment request succeeds but the certificate is issued for the certificate manager account instead of the user account. Do you know why I have this? Is it because my CA somehow doesn’t see my Enrolment Agent? How to correctly configure the “Issuance Requirements” tab to perform enrolment “on behalf of” users? Thanks.

What account is assigned Read and Enroll permissions on the custom smart card certificate template? Brian

Hello, I tried both cases : - Only the certificate managers group has Read and Enroll permissions on the custom smart card certificate template - Both the certificate managers and the users groups have Read and Enroll permissions on the custom smart card certificate template Thanks !

Do you see correlating EventLog entries on the CM and/or CA server? Does the CA exit module correctly work - EventLog entries on the CA when shutting down the CA? /Matthias

most common error is forgetting to add the hash of the signing cert in the PolicyModule

Hello, Thanks for your reply. Matthias : I don't currently have access to my setting to check the EventLog entries, I will let you know as soon as possible nTony : I had the signing certificate's hash in the PolicyModule. Kevin.

Hi, Has this one ever been resolved? I'm having a problem just as slikevin had before: the enrolment request succeeds but the certificate is issued for the certificate manager account instead of the user account. SergeiM

Hi, do you use the FIM CM certificate subject /SAN custom policy module on CA? I found that when I did not use the module I had this issue... More information on configuring FIM CM modules can be found here http://technet.microsoft.com/en-us/library/gg418616(WS.10).aspx Kind regards Martin Rublik

Hi, Here's the resolution http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/thread/5576b1dc-e24a-4e10-9c04-1fc8e850548e

Hi, Do I need to enable both modules or either of them? Regards, Serg