Enrollment Agent Issue
Windows Server 2008 (RTM) domain with separate Windows Server 2008 (RTM) Enterprise Subordinate CA. Using Vista as enrollment workstation. Domain admin account ("Agent") with Enrollment Agent cert requesting V3 SmartCard User cert on behalf of another user ("User"). Only change to V3 SmartCard User cert is to allow export of private key (for import to USB token). New SmartCard User template not available to Agent; if "Show all templates" is checked, message on SmartCard User template is "The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request." Same behavior if cert enrollment is attempted from CA console. Attempts to enroll using original SmartCard User cert fails with Certificate Services Client-Cert Enroll Event ID 13 (80094009). Any help would be appreciated.
February 7th, 2008 10:05pm

Checkthe "Issuance Requirements" tab (or something named like that) in the enrollment properties and look at the number of authorized signatures. Let me know what you found...
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2008 10:54pm

The Issuance Requirements page is blank--default settings only--and places no restrictions on enrollment.
February 15th, 2008 10:23pm

I am unable to duplicate this... Have you tried requesting the cert directly by the user after granting the user all kinds of Admin rights? If that works, try keeping the Admin permissions on that user and have another admin request on behalf of that user.
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2008 5:02pm

Hi, I do have the same issue as Ron, I think its because of the templat (we used a copy of an original user certificate) and if I enroll the template to be issued it is always in windows 2003 "mode", this means it is not supporting 2000 CAs. If you for example enroll on behalf as a user the enrollment agent is based on a Windows 2000 CA, so I think therefore the enrollment Agent is not supporting creation of certificates in windows 2003 orwindows 2008mode.are there any news regarding this issue!?
May 20th, 2009 11:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics