Certificate auto-enrollment test client fails to re-enroll for a certificate
In a test environment I have a two-tier ADCS PKI hierarchy (offline root and Enterprise subordinate). I successfully configured computer auto-enrollement for a single Windows 7 client by configuring proper security settings on a template I copied in conjunction with establishing Group Policy for 'Certificate Services Client - Auto Enrollment Properties.' The template is a copy of Computer saved as v2 (2003) and the client workstation has read, enroll, and auto-enroll rights. This worked fine - the first time. Then I decided I wanted to simulate certificate expiry and automatic re-enroll. Because my template was set for a year initially, this is obviously too long to wait for a test. I updated my template to have the certificate expire in only 2 hours. I revoked the old certificate on the CA and deleted it from the local certificate store on the client. However, I can no longer automatically enroll for the cert despite the fact it worked the first time. Certutil -pulse has no effect; rebooting the machine has no effect either. I am completely stuck unable to re-enroll despite having the same Group Policy and security template settings. What should I do next to resolve? Thanks for reading this and any/all feedback.
May 16th, 2012 8:05pm

For better assistance about Certificates the Security forum is the better place: http://social.technet.microsoft.com/Forums/en/winserversecurity/threads For GPO http://social.technet.microsoft.com/Forums/en/winserverGP/threads Best Regards, Sandesh Dubey. MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 9:48pm

Hi, Please clean the CRL cache with certutil -urlcache CRL delete first. If the issue persist, please try the following steps: Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template. To enable the warning feature for an autoenrollment failure 1. Open the specified template in the Certificate Templates MMC snap-in. 2. Click the Request Handling tab. 3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties. By default, autoenrollment logs errors/failures and successful enrollments in the Application event log on the client machine. To enable enhanced logging of autoenrollment processes to include warning and informational messages, the following registry values must be created. User Autoenrollment HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named AEEventLogLevel"; set value to 0. Machine Autoenrollment HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0. For details: Troubleshooting (Certificate Autoenrollment in Windows Server 2003) http://technet.microsoft.com/en-us/library/cc755801(v=WS.10).aspx Hope this helps! Best regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Elytis Cheng TechNet Community Support
May 18th, 2012 2:48am

Thanks Elytis - with this logging enabled I found an important clue: An Application event log error on my client which states 'a valid certification authority cannot be found to issue this template' when enrollment is attempted with certutil -pulse. Now I'll pursue this issue and see what is going on. Thank you.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 10:20am

Did you ever fix it? I ran into the same problem... except on my end, when I try to change the template on the CA to Prompt the user during enrollment, I can't select it because the option is greyed out.
October 13th, 2012 8:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics