PKI Autorenrollment results in two certificates enrolled

We need to autoenroll certificates to our servers and clients to be used for RDS.

The Auto-enrollment is set through "Public Key Policies/Certificate Services Client - Auto-Enrollment Settingss" where it gets deployed nicely.

For RDS security we also have to set "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security" the certificate template.

Unfortunately, when we set both settings we receive two times the same certificate from the same template and pki deployed! This polutes the pki when you want to serve a bunch of systems.

Worth to mention, that this certs are equal in premises of template, pki and key usage - only differ in date of issue for about 10seconds.

We also checked the debug output for certificate enrollment, and found that the first certificate is requested by the "svchost.exe" which is expected while the second one is requested by "taskhost.exe".

Interestingly, if we delete both certs we receive then only one new certificate! That would suggest that the received cert is actually satisfying both GP settings...


May 28th, 2015 3:58am

Hi,

>>Unfortunately, when we set both settings we receive two times the same certificate from the same template and pki deployed! This polutes the pki when you want to serve a bunch of systems.

Based on the description, if we try to temporarily disable the RDS security setting, will this kind of situation persist?

Besides, we can try to enable auditing to check if more information can be found about the request of the certificate.  

To enable auditing, we need to enable the following policy setting:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access

and then, we navigate to CA server in CA management console, right click it and choose Properties, go to Auditing tab, and tick the option Issue and manage certificate requests.

Regarding auditing Certification Services, the following article can be referred to for more information.

Audit Certification Services

https://technet.microsoft.com/en-us/library/dd772671(v=ws.10).aspx

Best regards,

Frank Shen

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 11:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics