Good day everyone! So the preblem is that we have ADCS installed, it works but certificates being enrolled repeatedly, so we have about 100 certificates issued per user/computer... Also we have warning id 80, and usual fixes doesn`t work. Windows Server 2008 R2, Only CA without subs,Web enrlloment, Online Responder service If there are any suggestive questions please ask.

Hi, You might want to ask this question in Security sub forum which is the best place for CA/Certificate related discussions. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi, You might want to ask this question in Security sub forum which is the best place for CA/Certificate related discussions. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi, Thanks for posting in Microsoft TechNet forums. We can try the setting "Do not automatically re-enroll if a duplicate certificate exists in Active Directory." Please check the article below: Configure Certificate Publishing in Active Directory Domain Services http://technet.microsoft.com/en-us/library/cc730861.aspx Also please check the suggestions in the thread below to see if they can be helpful to you: User is issued Multiple User Certificates http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/75534160-85b8-454e-902a-97d94dbf0f05 Regards Kevin

Hi, Thanks for posting in Microsoft TechNet forums. We can try the setting "Do not automatically re-enroll if a duplicate certificate exists in Active Directory." Please check the article below: Configure Certificate Publishing in Active Directory Domain Services http://technet.microsoft.com/en-us/library/cc730861.aspx Also please check the suggestions in the thread below to see if they can be helpful to you: User is issued Multiple User Certificates http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/75534160-85b8-454e-902a-97d94dbf0f05 Regards Kevin

1 we did "Do not automatically re-enroll if a duplicate certificate exists in Active Directory." that setting from the begining. 2 http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/75534160-85b8-454e-902a-97d94dbf0f05 and this is in some way different because we have porblems with both user and computer certs

1 we did "Do not automatically re-enroll if a duplicate certificate exists in Active Directory." that setting from the begining. 2 http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/75534160-85b8-454e-902a-97d94dbf0f05 and this is in some way different because we have porblems with both user and computer certs

So what is your environment? 1) Do you have auto enroll enabled in your environment? 2) Is this issue happening only for custom made templates or also with the default templates? 3) If possible can you share the settings of the template for which you are observing this issue? 4) If possible can you create a duplicate of a user template, give it Auto enroll permission for a test user and check if the above issue happens or not?

So what is your environment? 1) Do you have auto enroll enabled in your environment? 2) Is this issue happening only for custom made templates or also with the default templates? 3) If possible can you share the settings of the template for which you are observing this issue? 4) If possible can you create a duplicate of a user template, give it Auto enroll permission for a test user and check if the above issue happens or not?

1) Yes we do. 2) We have created custom templates on the base of default ones, but problem seems to be occured with custom made templates 3) I can share it, but we are using Russian language, how do you want me to share it? 4) I `ll try that, and post the answer as soon as i`ll have the result.

1) Yes we do. 2) We have created custom templates on the base of default ones, but problem seems to be occured with custom made templates 3) I can share it, but we are using Russian language, how do you want me to share it? 4) I `ll try that, and post the answer as soon as i`ll have the result.

Can you paste the snapshots of the following tabs of the custom template here: 1)General 2) Request Handling 3)Subject Name and 4) Issuance Requirement tab Also have you modified or added any group policies related to certificates? By enrolling repeatedly, what do you mean? -When you log into the machine the same template is getting offered repeatedly? -What happens when a user have this certificate and he logs off and logs in? What is the validity period and renewal period for this template?

Can you paste the snapshots of the following tabs of the custom template here: 1)General 2) Request Handling 3)Subject Name and 4) Issuance Requirement tab Also have you modified or added any group policies related to certificates? By enrolling repeatedly, what do you mean? -When you log into the machine the same template is getting offered repeatedly? -What happens when a user have this certificate and he logs off and logs in? What is the validity period and renewal period for this template?

As i had told screenshots will be in russian, but i think that wouldn`t be a problem:) we have modified comp_conf/policies/windows_conf/security_settings/Policy work with public keys / certificates customer service - the automatic registration user_conf/policies/windows_conf/security_settings/Policy work with public keys / certificates customer service - the automatic registration I ha translated this(policies names) by myself so it can be different from the original, sorry for that... i can`t say for sure, certificate is not offered repeatedly every time users logs on/off, i can not understend when it requests for the new certificate and more important why. validity period and renewal period is 1year and 6 weeks.Screenshots are numered as in your request, Gargi

As i had told screenshots will be in russian, but i think that wouldn`t be a problem:) we have modified comp_conf/policies/windows_conf/security_settings/Policy work with public keys / certificates customer service - the automatic registration user_conf/policies/windows_conf/security_settings/Policy work with public keys / certificates customer service - the automatic registration I ha translated this(policies names) by myself so it can be different from the original, sorry for that... i can`t say for sure, certificate is not offered repeatedly every time users logs on/off, i can not understend when it requests for the new certificate and more important why. validity period and renewal period is 1year and 6 weeks.Screenshots are numered as in your request, Gargi

Settings looks fine . I am suspecting some changes to do with the template itself, but its very difficult to tell, because there is no definite pattern when the certificate is getting re offered. Did you try the following: If possible can you create a duplicate of a user template, give it Auto enroll permission for a test user and check if the above issue happens or not?\ Just duplicate the User template and change the security settings to give a user auto enroll permission. Donot do any other changes. If the re-offering does not happen in this case we can narrow down the issue to some changes with the template settings itself.

Settings looks fine . I am suspecting some changes to do with the template itself, but its very difficult to tell, because there is no definite pattern when the certificate is getting re offered. Did you try the following: If possible can you create a duplicate of a user template, give it Auto enroll permission for a test user and check if the above issue happens or not?\ Just duplicate the User template and change the security settings to give a user auto enroll permission. Donot do any other changes. If the re-offering does not happen in this case we can narrow down the issue to some changes with the template settings itself.

I had duplicate user template but only for one user, and it seems to be no such problem with it, but i am not sure if that would happen with all user.... what will you suggest now?

I had duplicate user template but only for one user, and it seems to be no such problem with it, but i am not sure if that would happen with all user.... what will you suggest now?

So it looks like an issue with the settings in your custom template. What changes did you do for this custom template. I will try to setup a similar template and check in my test environment then. Let me know also if you have created any special policy in your domain which is related to the template.

So it looks like an issue with the settings in your custom template. What changes did you do for this custom template. I will try to setup a similar template and check in my test environment then. Let me know also if you have created any special policy in your domain which is related to the template.

I did the exact copy of the custom template with all settings, and i`ve already showed you my settings, and gp too, what else do you want me to show?

I did the exact copy of the custom template with all settings, and i`ve already showed you my settings, and gp too, what else do you want me to show?

Your certificate template settings look fine and the gp settings also looks fine. That's why I am confused why is it getting re offered. It would have been helpful if we could have known the frequency of autoenrollment or any specific event that is triggering the auto enrollment. Generally the autoenrollment process scans through the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful. Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate. When you make a critical change in the certificate template and you want all the certificate holders to have this change then Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy So,auto-enrollment offers a certificate when it is either nearing its expiring date, doesnot have a valid private key associated, time invalid certificate or when the template is changed and "Reenroll all certificate holders" option is set.

Your certificate template settings look fine and the gp settings also looks fine. That's why I am confused why is it getting re offered. It would have been helpful if we could have known the frequency of autoenrollment or any specific event that is triggering the auto enrollment. Generally the autoenrollment process scans through the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user. The machine and/or user must also have the Read ACE set on the template or the template will not be enumerated. The users or machines MY (personal) store will also be processed at this time to look for revoked certificates, certificates without private keys, time invalid certificates and so on, and add these certificates to the requirements list. Items in the requirements list may be removed if an appropriate valid certificate is found in the MY store. If a certificate template is marked to check Active Directory for an existing certificate, Active Directory will be queried for an existing duplicate certificate on the userCertificate attribute of the user object and the requirement will be removed from the list, if successful. Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate. When you make a critical change in the certificate template and you want all the certificate holders to have this change then Autoenrollment will also re-enroll templates when Reenroll all certificate holders has been set in Group Policy So,auto-enrollment offers a certificate when it is either nearing its expiring date, doesnot have a valid private key associated, time invalid certificate or when the template is changed and "Reenroll all certificate holders" option is set.

After you had wrote, i found out that domain users didn`t have read permission in security tab of users custom template, so i had changed it as you suggested but after that problem is still exixts, i will show the screenshot, of how often some certificates are beeing issued And this guy have the same problem(read the last post) http://social.technet.microsoft.com/Forums/ru-RU/winserversecurity/thread/79c257cf-7955-4d8b-aec6-b3ba69e6ef05

After you had wrote, i found out that domain users didn`t have read permission in security tab of users custom template, so i had changed it as you suggested but after that problem is still exixts, i will show the screenshot, of how often some certificates are beeing issued And this guy have the same problem(read the last post) http://social.technet.microsoft.com/Forums/ru-RU/winserversecurity/thread/79c257cf-7955-4d8b-aec6-b3ba69e6ef05

I`ve started over again, on the another server and the only thing that i did different is giving read and enroll permission for the Computer(that ocsp responder running) in properties of response signing ocsp template. After 5 days it seems to be no problem....

I`ve started over again, on the another server and the only thing that i did different is giving read and enroll permission for the Computer(that ocsp responder running) in properties of response signing ocsp template. After 5 days it seems to be no problem....

Hey people the problem is back, have computer that recieved certificate 3 times per day....