We're having a problem enrolling certificates for some Windows XP users in our environment. Here is the situation: - All computers are members of DomainA.com - The CA that I'm trying to enroll against is a member of DomainB.com - Users who are having a problem, belong to DomainB.com, which is trusted by DomainA.com and logon to Windows XP computers - Users who logon to Windows 7 computers and belong to DomainB.com do not have a problem enrolling When I attempt to enroll for a certificate on a Windows XP machine against the DomainB.com CA, I get an error that no CAs are available or that I do not have permission. However, when I do the same thing, with the same user on a Windows 7 machine, it locates the AD enrollment polciy and available templates without a problem. If I run Certutil from the Windows XP machine, I can only view templates and CAs that are in DomainA.com, which the computer is a member of. If I try to directly query the available templates on the DomainB.com CA, I get the following error: 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version 307.2479.0: 0x80070490 (WIN32: 1168): DomainB.com CA 307.2586.0: 0x80070490 (WIN32: 1168) CertUtil: -CATemplates command FAILED: 0x80070490 (WIN32: 1168) CertUtil: Element not found. 301.3128.0: 0x80070490 (WIN32: 1168) Any way to get around this?

Are both domains members of the same forest?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

No, they are in different forests

Have you set up the CA and forests as described in this whitepaper (assuming that the CAs are Windows SErver 2008 R2) http://technet.microsoft.com/en-us/library/ff955845%28WS.10%29.aspx You should be replicating the *same* certificate templates from domaina to domainb (based on the location of the CA in your description) Also make sure that Windows XP has the latest service pack installed Brian

Brian, Thanks, I'll give that a try. Currently in our setup we have a two-tier PKI with an offline root CA and then issuing CAs in each forest. Our plan was to have users/computers enroll against the CA in their own forest and not have a single resource forest for enrollment. However, that looks like it is a problem with Windows XP. After reading through the whitepaper, I will enable the CA in DomainA to publish certificates in DomainB. I think this will allow us to move forward, as users in DomainB that logon to Windows XP machines in DomainA currently see the templates and CA in DomainA. I am going to test this now and will post the results.