Hello Guys I need help to configure autoenrolment of domain controller authentication certificate on my windows 2008 R2 server. I followed Microsoft books and reference links but couldn't get it to work. The only error message is "The permission on the certificate template do not allow the current user to enroll for this type of certificate." I am only trying to use default domain controller authentication certificate template with security permissions read, enroll and autoenroll for domain controller group, enterprise domain controller group and enterprise read only domain controller group. I need to complete this task in a couple of days. Kindly help me. Thanks & regards Sanurajan.

so you have started the MMC and added the Certificates console. Did you do it this way? Aren't you running just CERTMGR.MSC? When you add the Certificates console, did you select Local Computer? o.

can you enroll any other certificate template? either for user or computer? o.

Thanks Ondrej. I used the server manager console and certificate authority console to manage the templates. Yes, I have successfully set up autonenrolment for domain computers and web enrolment for web server. But not sure why the Kerberos authentication and domain controller authentication certificate autoenrolment isn't working. Any help is appreciated. Cheers Sanurajan.

so the question also contained a possible troubleshooting path. So please: on your Domain Controller logon locally and start MMC Add Snap-In Certificates Local Computer expand Personal rightclick Request New Certificate does this work? If not, what do you see about the templates in question? ondrej.

I followed all your steps: After I right click Request new Certificate -> Selected Active Directory Enrollment Policy -> Displayed Kerberos Authentication and I selected the same -> Click Enroll It displayed a dialog box "Request for Permission to Create a Key" -> I unchecked "Require this password whenever using this key" -> Clicked Create key The error message is displayed "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Denied by Policy Module." I have logged on as Domain Administrator, which has Read, write and enroll permissions. I even tried with autoenroll still didn't work, so removed autoenroll permission. Thanks. Sanurajan.

well, then it is weird, but we have finally some clues. a) your Domain Admins membership does not aply in this scenario, because you are enrolling for computer, so the request is done under the Domain Controller own credentials. Then the Domain Controllers group should have the Enroll and Read access to the template. b) the "Request for Permission to Create a Key" is weird. You said that you didn't modify the default templates? And didn't you install the Certificate Authority with the "Strong private key protection" option enabled? But this must be definitelly a clue to your problem. ondrej.

hey, here: check your GPO settings: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System Cryptography: Force strong key protection for user keys stored on the computer ondrej.

Well Ondrej The permissions set for Domain Controller, Enterprise Domain Controller and Enterprise Read Only Domain Controller: Read, Enroll and Autoenroll. Domain Admins, Enterprise Admins: Read, Write and Enroll. I did not install the CA with strong private key protection. How do I change it now ? I did not modify any settings of default Kerberos Authentication template, just created a duplicate copy and enabled Read permissions for the Domain controller groups. I checked the GPO settings and the strong key protected is not defined. Thanks Sanurajan.

you created a duplicate? would you please try it with the original template? also please try all three ORIGINAL templates Domain Controller, Domain Controller Authentication and the Kerberos Authentication. ondrej.

Hi Ondrej Thanks for the reply. I did try with the original template for Domain Controller, Domain Controller Authentication and Kerberos Authentication. Nothing worked. It displayed "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Denied by Policy Module." I also tried using MMC -> Certificates -> Local Computer -> Personal -> Request New Certificate -> selected Domain Controller template -> same error message. selected Domain Controller Authentication template -> same error message. selected Kerberos Authentication template -> same error message. I seriously something is wrong with the Domain Controller. Thanks. Sanurajan

ok. then we proceed to the CA part if you are still interested in the troubleshooting. on the CA a) ensure, that you audit Logon/Logoff attempts and Object Access on CA b) ensure that the CA service is auditing all its events (CA - Properties - Auditing) c) check also, that the DC in question is really member of the Domain Controllers group. d) do you have any Restricted Groups policy applied to the CA? e) on the DC, go to REGEDIT, HKLM\Software\Microsoft\Cryptography\CertificateTemplatesCache and delete the whole key CertificateTemplatesCache. f) from command line on DC run CERTUTIL -URLCACHE * DELETE and then try the enrollment again. ondrej.

Hi Ondrej Yes I am very much interested in troubleshooting. Please the result if steps below - a) ensure, that you audit Logon/Logoff attempts and Object Access on CA - Done b) ensure that the CA service is auditing all its events (CA - Properties - Auditing) - Done c) check also, that the DC in question is really member of the Domain Controllers group. - It is a member of only Domain Controller group. d) do you have any Restricted Groups policy applied to the CA? - Not yet any. e) on the DC, go to REGEDIT, HKLM\Software\Microsoft\Cryptography\CertificateTemplatesCache and delete the whole key CertificateTemplatesCache. - Done f) from command line on DC run CERTUTIL -URLCACHE * DELETE - Done. and then try the enrollment again. - Enrolment failed .

ok then. check the Application, Security and System logs on the CA. Even success audits/infos may be helpful. ondrej.

Hi Ondrej Sorry for the delay. Well the audit just says the same error message. From your experience do you know think there can be any error from DC end ? Because I tried to enroll Directory Email Replication certificate and it failed too with the same error message. I just used the default certificate template, did not change any values. The Default Domain Controller Policy is edited for auto enrolment. Computer Configuration -> Policies -> Windows Setting -> Security Setting -> Public Key Policies -> Client Certificate Services - Autoenrolment. I enabled and selected both the check boxes in the box. This is driving me crazy my friend, don't know what could be misconfig at the CA end. I strongly feel the DC machine is not included in a specific group which CA is looking for. Do you know the list of groups the DC machine should be a member of ? Thanks Ondrej.

ok, would you please copy the contents of all the audit logs relevant to this matter - the Certificate Services task category. also check the Security log for Logon/Logoff events and verify the DCxx$ account actually logged to the CA. I would also ensure that the Certificate Template has Authenticated Users with READ permission. ondrej.

Hi Ondrej Apologies for the delay. Well I have discovered resolution for the over the week end. All these days I had been trying to configure auto enrolment of version 2 templates using Windows 2008 R2 Standard Edition where as this is possible only on Enterprise Edition. I reconfigured the same using the Enterprise Edition and everything worked like charm. I would like to thank for the help provided. Cheers Sanrajan.