User Certificate Autoenrollment
Hey all,
I've been trying to deploy user certificates for document signing. I am following this article to a T:
http://technet.microsoft.com/en-us/library/cc770857.aspx
However, it's just not working.
When I open my certificate store and I run through the wizard "Automatically Enroll and Retrieve Certificates" the certificate does not show up. If this is blank, then I know it's not going to work. what I am I missing? This vague statement at
the bottom of the article has me wondering:
"Ensure that all appropriate domain system containers are configured for autoenrollment of user certificates either through the inheriting of Group Policy settings of a parent system container or through explicit configuration."
Thanks!
February 2nd, 2012 10:22am
It means, make sure that the Autoenrollment GPO is enforced at the OU where you have the users either by inheritance or directly.
If you try to request the certificate manually using that template, what result do you get?
What is the output of the command:
certutil -adtemplate "TemplateName"
/Hasain
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 1:14pm
okay, well I'm okay on the GPO then.
When I ran certutil, I get:
C:\WINDOWS\system32>certutil -adtemplate "DocumentSignature"
DocumentSignature: Document Signature -- Auto-Enroll
CertUtil: -ADTemplate command completed successfully.
I do not see anything in my certificate store, though.. not sure if I should.
February 2nd, 2012 2:13pm
To get the certificate, best bet is to log on and log off
Can also run certutil -pulse
Brian
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 2:20pm
Thanks. I've tried a combination of:
certutil -adtemplate "DocumentSignature"
certutil -pulse
and a complete reboot. Still do not having anything under my certificate store.
Thanks!
February 2nd, 2012 5:18pm
Does your user have auto-enrolment and read access to the template?
Check your registry for HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment which will confirm that the GPO setting has been applied (shouldn't have a value of 0)
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 5:35pm
The result from the command: certutil -adtemplate "DocumentSignature" shows that you have enabled AutoEnrollment on the certificate template but you still need to verify that AutoEnrollment has benn enabled for the user!
/Hasain
February 2nd, 2012 5:51pm
I deleted my template, and issue. I made a new one.
I ensured that "read", "enroll", "autoenroll" were enabled for "Authenticated Users", and "Domain Users".
I ran:
certutil -adtemplate "DocumentSignature"
certutil -pulse
AND rebooted. Still no certificate.
Hasain, that sounds plausible.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment\
Doesn't have anything in it. So it's not getting enabled from the Default Domain Policy?
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 6:41pm
to verify the autoenrollment setting run the rsop.msc on the client and check the user autoenrollment settings
/Hasain
February 2nd, 2012 6:51pm
Be sure you have set *user* autoenrollment and not just *machine* autoenrollment as well
Brian
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 8:04pm
to verify the autoenrollment setting run the rsop.msc on the client and check the user autoenrollment settings
/Hasain
February 3rd, 2012 2:43am
Thanks! I found that another GPO had the configuration enabled, but none of the required enrollment options were set. I don't know why, and it took way too long to find. Thanks for rsop. I wouldn't have expected that was the problem
in all of this!
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2012 7:50am