Automatic renewal of certificates through CEP / CES.
We currently have a PKI on Windows 2008 R2 and in this case as customers use notebooks with Windows 7 SP1.
I have problem with the automatic renewal of computer certificate through CEP / CES.
Services CEP / CES are installed on the same server, the CA is in another server.
You want to automatically renew computer certificate through Internet.

These services are configured to only computer certificate renewal and renovation to allow authentication using a certificate previously issued to PC.
The first computer certificate is issued automatically through the settings in Group Policy in Active Directory, then the team has its certificate is configured PC Local Group Policy to configure the server URL CEP / CES.

I have no problem when I do the renewal through the MMC, only occurs when the team wants it done automatically.

Error events are:
-
Event ID 68
Certificate enrollment for Local system failed in authentication to policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
(Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))

Event ID 67
Certificate enrollment for Local system failed to load policy from policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
(Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))

Event ID 6
Automatic Certificate enrollment for Local system failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
-

The documentation used to install CEP / CES is:
http://www.microsoft.com/en-us/download/details.aspx?id=1746

I thank anyone who can guide me with this problem.
Greetings.
October 7th, 2012 2:21am

Hi,

I think "Auto Renewal of certificates through Internet (CEP / CES)" is a new feature in ADCS of Windows 2012. Not sure whether it can be realized in Server 2008.

Anyway, here are two links which might be useful to you:

Enabling CEP and CES for enrolling non-domain joined computers for certificates

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

So anybody got autoenrollment working for CES on non-domain-joined computer?

http://www.networksteve.com/forum/topic.php/So_anybody_got_autoenrollment_working_for_CES_on_non-domain-join/?TopicId=28451&Posts=2

Niko
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2012 9:10am

Hi Nico.

Certificate renewal through CEP / CES, if I'm not mistaken, was introduced in Windows 2008 R2.
He was known to the attached link, the link that I had attached in the query, this refers to CEP / CES in Windows 2008 R2:

http://www.microsoft.com/en-us/download/details.aspx?id=1746

I thank you for responding.

Greetings.
October 8th, 2012 4:29pm

Hello nando31,

Are you able to solve your problem?

I'm facing the same problem you have in October 2012. The Client which sould use the CEP/CES is givin the Event ID 6 / 67 and 68 errors you have write down at the beginning.

regards Jrn

Free Windows Admin Tool Kit Click here and download it now
May 6th, 2013 11:39am

Has anyone got anything else on this?

I have seen another thread which suggests that this is only possible if Windows Server 2012 is used for both the CA and CES/CEP servers. 

I am hoping that this is not the case!

Matt...

March 7th, 2014 6:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics