Hello, I have configuration like follows : Windows 2008 Server1 : AD Domain1, MyCA Windows 2003 Server2 : AD Domain2. Windows 7 Client1 : Joined to Domain1 All the users are in Domain2, but admin is in Domain1. Domain1\AdminAccount has a enrollment agent certificate from MyCA. Domain2 has RootCA certificate and Domain Controller Certificate from MyCA as described in this article (http://support.microsoft.com/kb/281245 ) I want Domain1\AdminAccount to issue certificate for Domain2\User1 by logging in from Client1. I have been following this article (http://technet.microsoft.com/en-us/library/cc770802.aspx) to enroll for certificates on behalf of other users. I do not see Domain2 listed in the browse user dialog. Both AD's are on the same network. How can I enroll users for certificates from different Active Directory ? ** I am not allowed to create any trust relationship from Domain2 to Domain1

Hi, Thanks for your post. Are the two domains in the same forest? Have you establish two-way trust between the domains? If they are not in the same forest, I think its advised to read the below article first. AD CS: Deploying Cross-forest Certificate Enrollment http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx Please note before Windows 2008 R2, CA cannot enroll cross-forest. If all domains in the same forest with trusted relationship, it should be work. Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

If the two domains are not inte the same forest and your are not allowed to create any trust between theme, then you will not be able to pick users from domain 2 the way you describe it. Gives the restrictions above, you can still issue certificate for the users in domain 2 but only if manually supplying the necessary subject name information in the request including the user DN and UPN for domain2. /Hasain

If the two domains are not inte the same forest and your are not allowed to create any trust between theme, then you will not be able to pick users from domain 2 the way you describe it. Gives the restrictions above, you can still issue certificate for the users in domain 2 but only if manually supplying the necessary subject name information in the request including the user DN and UPN for domain2. /Hasain

Thanks for your help. I was able to create a smart card. When I try to plug in to the domain joined machine, I got the following error : "The kerberos protocol encountered an error while validating the KDC certificate during smart card logon" Upon looking at the event logs, I found following error : "The client has failed to validate the domain controller certificate for <<DomainServerName>>. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority. " This is what I found on MSDN related to this error : http://technet.microsoft.com/en-us/library/cc734096(v=ws.10).aspx "At the command prompt, type certutil -dcinfo verify, and then press ENTER." This is the output on certutil -dcinfo verify on my domain controller : ----------------------------------------------------------- 0: DEVSERVER1 *** Testing DC[0]: DEVSERVER1 ** Enterprise Root Certificates for DC DEVSERVER1 No certs in Ent Root store! ** KDC Certificates for DC DEVSERVER1 0 KDC certs for DEVSERVER1 No KDC Certificate in MY store KDC certificates: Cannot find object or property. 0x80092004 (-2146885628) CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628) CertUtil: Cannot find object or property. ---------------------------------------------------------------- Since my CA is not in the same domain as AD and Domain Controller, I used the following approach to issue Domain Controller certificates as listed in the following article (and next two articles in the sequence) http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx The article does not say anything about KDC certificates. I could not find much information related to KDC certificates anywhere. Can someone please guide me around this error ? I found following events on AD/DC machine. I don't know if they are relevent. -------------------------------------------------------------------------------------- Internal event: The LDAP server returned an error. Additional Data Error value: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: <<DomainName>>' Internal event: The LDAP server returned an error. Additional Data Error value: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece ---------------------------------------------------------------------------------------- Thanks.

The second question I have is : I had to manually push CA's root certificate to the Trusted store of Client workstation. Is there way this can be pushed directly by AD ? I already have CA's root certificate in AD's NTAuth (as per the article http://support.microsoft.com/kb/281245)

Hello, I have configuration like follows : Windows 2008 Server1 : AD Domain1, MyCA Windows 2003 Server2 : AD Domain2. Windows 7 Client1 : Joined to Domain1 All the users are in Domain2, but admin is in Domain1. Domain1\AdminAccount has a enrollment agent certificate from MyCA. Domain2 has RootCA certificate and Domain Controller Certificate from MyCA as described in this article (http://support.microsoft.com/kb/281245 ) I want Domain1\AdminAccount to issue certificate for Domain2\User1 by logging in from Client1. I have been following this article (http://technet.microsoft.com/en-us/library/cc770802.aspx) to enroll for certificates on behalf of other users. I do not see Domain2 listed in the browse user dialog. Both AD's are on the same network. How can I enroll users for certificates from different Active Directory ? ** I am not allowed to create any trust relationship from Domain2 to Domain1

Hi, Please post this question in Security forum : http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest regards, Abhijit Waikar. MCSA | MCSA:Messaging | MCITP:SA | MCC:2012 Blog: http://abhijitw.wordpress.com Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Hi, How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know. Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

Hi, Thanks for your post. Are the two domains in the same forest? Have you establish two-way trust between the domains? If they are not in the same forest, I think its advised to read the below article first. AD CS: Deploying Cross-forest Certificate Enrollment http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx Please note before Windows 2008 R2, CA cannot enroll cross-forest. If all domains in the same forest with trusted relationship, it should be work. Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support