Windows 2008 R2 - Enroll on Behalf does not pick up Enrollment Cert
Hi,
I have created the following environment for my LAB, which whenduplicated at my client in prodcution, does not provide the same results:
RootCA
Issuing SUB CA
I have confirmed my Root and SUB CRL are functioning by opening my Root CA and SUB CA CRL's via the website. They are accessible and functioning. CRL information is there. Delta information is there
Problem:
From a Windows 7 machine, logged on as EnrollAgent - added user to EnrollAgent Template with read and enroll and issued to SubCA
User requests (under current user), the enrollagent cert and cert is approved and installed in Current User\Personal\Certificates
Go to "Enroll on behalf of" and when I select the signing certificate, it does not appear. I waited thinking some sort of replication was holding up proceedings but nothing changes. I have checked the enrollment cert and all are the certification paths
exist and propeties of my cert match the one in my LAB exactly.
I also confirmed the Application Policy was set to Certificate Request Agent (when I tried a duplicated enrollment template)
This works perfectly on my LAB environment but does not work at the client. I double and triple checked all my settings between the 2 but cannot get the enroll on behalf to pick up the install Enrollment agent cert in production
Many Thanks
Jacques
November 15th, 2010 5:22am
go to CertSrv.msc MMC snap-in and check if your request appears in Pending Requests or Failed Requests nodes.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 5:51am
Enrollment Agent Certificate has been issued and exists in both Issued Certificates node of the CA snapin and the current user\personal\certificates of the enrollagent certificates snap-in
Only when you attempt the "enroll on behalf of" does it not appear as the "signing certificate"
Everything works fine in my LAB with exact same configuration, but not in production at the client
Are there any domain-level requirements as LAB is Windows 2008 and client is still 2003 domain-level
Thanks
November 15th, 2010 9:37am
make sure if this EA certificate met to all requirements for EOBO for particular certificate template. For example if template requires that EA certificate must contain certain Application and Iassuance policies, default EA may not fit to these requirements.
So you need to check template settings for EA requirements.
http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 11:22am
Hi,
Thanks for your help in assisting.
I am using the default enrollment agent template, which as mentioned works fine in my LAB.
So the solution I have does work as this has been confirmed by Gemalto South Africa with regards to their smart card requirements. (.NET V2 Smart card) It also works if I use a duplicated Enrollment agent template (in the LAB), only requirement being
the application policy needs to be set to Certificate request agent and adding the enrollment user with read and enroll.
However the client has the exact same Root and Sub CA configuration, the same CRL and Online Responder configuration, yet the template does not appear when the enrollment agent trys to "EOBO"
Thanks
Jacques Theron Advanced Infrastructure Consultant
November 16th, 2010 2:52am
what about permissions? Make sure if *enrollment agents* and
*target users* have Read and Enroll permissions on the template you are using for EOBO.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 5:32am
If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent cert
which has been issued successfully and is in the current user\personal\certificates store of the enrollment agentJacques Theron Advanced Infrastructure Consultant
November 16th, 2010 6:03am
On Tue, 16 Nov 2010 11:02:56 +0000, Jacquest74 wrote:
If you are referring to the smart card user template then yes, they both do. However I am not getting past selecting the "signing certificate" step in the EOBE process to even attempt a smart card enrollment as it does not pick the enrollment agent
cert which has been issued successfully and is in the current user\personal\certificates store of the enrollment agent
Do you have some place that you can upload a zip file to? If so it would be
helpful for you to run psr.exe and then:
1. Attempt the EOBO operation again.
2. Open certmgr.msc as the enrollment agent user.
3. Show the properties of the enrollment agent cert including the General
tab and the EKU extension.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 6:17am
Hi Paul,
I will need to go into the client to do this and are hoping to get this done on Friday 18th. I do already have a copy of the clients enrollment certificate which I have uploaded to my Skydrive account. I have also uploaded the certificate from my LAB,
if that would assist as well as a comparison.
I would just need your MSN details and I can then share that with you so long, then I can go through the process and record it for you when I am at my client again.
Cheers
Jacques Theron Advanced Infrastructure Consultant
November 18th, 2010 2:12am
I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions ThanksJacques Theron Advanced Infrastructure Consultant
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2010 4:32am
On Fri, 19 Nov 2010 09:31:21 +0000, Jacquest74 wrote:
I have now gathered the relevant information as requested but I need some method of getting it through to you. I recommend Skydrive but would need your MSN details to add you to the folder permissions Thanks
paul_adare AT hotmail.com
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
November 19th, 2010 4:55am
I have sent a request to collect those files to your hotmail addressJacques Theron Advanced Infrastructure Consultant
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2010 7:15am