Hi, I have created the following environment for my LAB, which whenduplicated at my client in prodcution, does not provide the same results: RootCA Issuing SUB CA I have confirmed my Root and SUB CRL are functioning by opening my Root CA and SUB CA CRL's via the website. They are accessible and functioning. CRL information is there. Delta information is there Problem: From a Windows 7 machine, logged on as EnrollAgent - added user to EnrollAgent Template with read and enroll and issued to SubCA User requests (under current user), the enrollagent cert and cert is approved and installed in Current User\Personal\Certificates Go to "Enroll on behalf of" and when I select the signing certificate, it does not appear. I waited thinking some sort of replication was holding up proceedings but nothing changes. I have checked the enrollment cert and all are the certification paths exist and propeties of my cert match the one in my LAB exactly. I also confirmed the Application Policy was set to Certificate Request Agent (when I tried a duplicated enrollment template) This works perfectly on my LAB environment but does not work at the client. I double and triple checked all my settings between the 2 but cannot get the enroll on behalf to pick up the install Enrollment agent cert in production Many Thanks Jacques

go to CertSrv.msc MMC snap-in and check if your request appears in Pending Requests or Failed Requests nodes.http://en-us.sysadmins.lv

Enrollment Agent Certificate has been issued and exists in both Issued Certificates node of the CA snapin and the current user\personal\certificates of the enrollagent certificates snap-in Only when you attempt the "enroll on behalf of" does it not appear as the "signing certificate" Everything works fine in my LAB with exact same configuration, but not in production at the client Are there any domain-level requirements as LAB is Windows 2008 and client is still 2003 domain-level Thanks

make sure if this EA certificate met to all requirements for EOBO for particular certificate template. For example if template requires that EA certificate must contain certain Application and Iassuance policies, default EA may not fit to these requirements. So you need to check template settings for EA requirements. http://en-us.sysadmins.lv

Hi, Thanks for your help in assisting. I am using the default enrollment agent template, which as mentioned works fine in my LAB. So the solution I have does work as this has been confirmed by Gemalto South Africa with regards to their smart card requirements. (.NET V2 Smart card) It also works if I use a duplicated Enrollment agent template (in the LAB), only requirement being the application policy needs to be set to Certificate request agent and adding the enrollment user with read and enroll. However the client has the exact same Root and Sub CA configuration, the same CRL and Online Responder configuration, yet the template does not appear when the enrollment agent trys to "EOBO" Thanks Jacques Theron Advanced Infrastructure Consultant

what about permissions? Make sure if *enrollment agents* and *target users* have Read and Enroll permissions on the template you are using for EOBO.http://en-us.sysadmins.lv

If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent cert which has been issued successfully and is in the current user\personal\certificates store of the enrollment agentJacques Theron Advanced Infrastructure Consultant

On Tue, 16 Nov 2010 11:02:56 +0000, Jacquest74 wrote: If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent cert which has been issued successfully and is in the current user\personal\certificates store of the enrollment agent Do you have some place that you can upload a zip file to? If so it would be helpful for you to run psr.exe and then: 1. Attempt the EOBO operation again. 2. Open certmgr.msc as the enrollment agent user. 3. Show the properties of the enrollment agent cert including the General tab and the EKU extension. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Hi Paul, I will need to go into the client to do this and are hoping to get this done on Friday 18th. I do already have a copy of the clients enrollment certificate which I have uploaded to my Skydrive account. I have also uploaded the certificate from my LAB, if that would assist as well as a comparison. I would just need your MSN details and I can then share that with you so long, then I can go through the process and record it for you when I am at my client again. Cheers Jacques Theron Advanced Infrastructure Consultant

I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions ThanksJacques Theron Advanced Infrastructure Consultant

On Fri, 19 Nov 2010 09:31:21 +0000, Jacquest74 wrote: I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions Thanks paul_adare AT hotmail.com Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

I have sent a request to collect those files to your hotmail addressJacques Theron Advanced Infrastructure Consultant