Hi,
I have created the following environment for my LAB, which whenduplicated at my client in prodcution, does not provide the same results:
RootCA
Issuing SUB CA
I have confirmed my Root and SUB CRL are functioning by opening my Root CA and SUB CA CRL's via the website. They are accessible and functioning. CRL information is there. Delta information is there
Problem:
From a Windows 7 machine, logged on as EnrollAgent - added user to EnrollAgent Template with read and enroll and issued to SubCA
User requests (under current user), the enrollagent cert and cert is approved and installed in Current User\Personal\Certificates
Go to "Enroll on behalf of" and when I select the signing certificate, it does not appear. I waited thinking some sort of replication was holding up proceedings but nothing changes. I have checked the enrollment cert and all are the certification paths
exist and propeties of my cert match the one in my LAB exactly.
I also confirmed the Application Policy was set to Certificate Request Agent (when I tried a duplicated enrollment template)
This works perfectly on my LAB environment but does not work at the client. I double and triple checked all my settings between the 2 but cannot get the enroll on behalf to pick up the install Enrollment agent cert in production
Many Thanks
Jacques

There is an amazing pack of free network admin tools. click here to download it

go to CertSrv.msc MMC snap-in and check if your request appears in Pending Requests or Failed Requests nodes.
http://en-us.sysadmins.lv


There is an amazing pack of free network admin tools. click here to download it

Enrollment Agent Certificate has been issued and exists in both Issued Certificates node of the CA snapin and the current user\personal\certificates of the enrollagent certificates snap-in
Only when you attempt the "enroll on behalf of" does it not appear as the "signing certificate"
Everything works fine in my LAB with exact same configuration, but not in production at the client
Are there any domain-level requirements as LAB is Windows 2008 and client is still 2003 domain-level
Thanks

There is an amazing pack of free network admin tools. click here to download it

make sure if this EA certificate met to all requirements for EOBO for particular certificate template. For example if template requires that EA certificate must contain certain Application and Iassuance policies, default EA may not fit to these requirements.
So you need to check template settings for EA requirements.


http://en-us.sysadmins.lv


There is an amazing pack of free network admin tools. click here to download it

Hi,
Thanks for your help in assisting.
I am using the default enrollment agent template, which as mentioned works fine in my LAB.
So the solution I have does work as this has been confirmed by Gemalto South Africa with regards to their smart card requirements. (.NET V2 Smart card) It also works if I use a duplicated Enrollment agent template (in the LAB), only requirement being
the application policy needs to be set to Certificate request agent and adding the enrollment user with read and enroll.
However the client has the exact same Root and Sub CA configuration, the same CRL and Online Responder configuration, yet the template does not appear when the enrollment agent trys to "EOBO"
Thanks

Jacques Theron Advanced Infrastructure Consultant

Need to support users over the internet? click here try our remote control online beta

what about permissions? Make sure if *enrollment agents* and
*target users* have Read and Enroll permissions on the template you are using for EOBO.
http://en-us.sysadmins.lv


Need to support users over the internet? click here try our remote control online beta

If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent cert
which has been issued successfully and is in the current user\personal\certificates store of the enrollment agentJacques Theron Advanced Infrastructure Consultant

There is an amazing pack of free network admin tools. click here to download it

On Tue, 16 Nov 2010 11:02:56 +0000, Jacquest74 wrote:

If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent
cert which has been issued successfully and is in the current user\personal\certificates store of the enrollment agent

Do you have some place that you can upload a zip file to? If so it would be
helpful for you to run psr.exe and then:
1. Attempt the EOBO operation again.
2. Open certmgr.msc as the enrollment agent user.
3. Show the properties of the enrollment agent cert including the General
tab and the EKU extension.

Paul Adare
MVP - Identity Lifecycle Manager

http://www.identit.ca


There is an amazing pack of free network admin tools. click here to download it

Hi Paul,
I will need to go into the client to do this and are hoping to get this done on Friday 18th. I do already have a copy of the clients enrollment certificate which I have uploaded to my Skydrive account. I have also uploaded the certificate from my LAB,
if that would assist as well as a comparison.
I would just need your MSN details and I can then share that with you so long, then I can go through the process and record it for you when I am at my client again.
Cheers

Jacques Theron Advanced Infrastructure Consultant

Need to support users over the internet? click here try our remote control online beta

I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions ThanksJacques Theron Advanced Infrastructure Consultant

Need to support users over the internet? click here try our remote control online beta

On Fri, 19 Nov 2010 09:31:21 +0000, Jacquest74 wrote:

I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions Thanks

paul_adare AT hotmail.com

Paul Adare
MVP - Identity Lifecycle Manager

http://www.identit.ca


There is an amazing pack of free network admin tools. click here to download it

I have sent a request to collect those files to your hotmail addressJacques Theron Advanced Infrastructure Consultant

There is an amazing pack of free network admin tools. click here to download it