I have Windows 7 Ent 32 bit. I have in personal local certificate store Enrollemnt agent certificate, but when I try to issue certificate fo Smart Card then Enroll on behalf wizard do not see this signing certificate, that window is empty. WHEN I hit Browse I got this: "No certificate available. No certificates meet the application criteria. Click OK to continue. What is wrong with my computer because other workstation works well?

Hi, Thanks for posting in Microsoft TechNet Forum. To Enroll On Behalf Of other user certificates, you need to obtain Enrollment Agent Certificate. I suspect this is related to your Enrollment Agent Certificate that stored in personal local certificate. To configure the smart card enrollment agent, follow these steps: 1. Log on to the domain with the same account. This account requires no special rights and can be a simple domain user. 2. Configure the Certificates MMC snap-in. 3. Open the Personal folder, right-click in the right-hand pane, and then click All Tasks. 4. Click Request New Certificate. 5. Complete the Certificate Request Wizard and request an enrollment agent certificate. Hope it helps. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Why do I need to request again the same certificate? I have it allready on my PC.

Hi, I see. But how and when did you request this certificate? As you cannot find Enrollment Agent Certificate, to request it again would let us find whether this is related to your previous certificate. Set Up and Use a Smart Card Enrollment Station Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, I am just writing to check the status of this thread. What is the latest status of this issue? Do you have any further questions or concerns? Please feel free to let us know. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I get the same problem. My observations: 1. Only the first user("UserA"), who get "enrollment agent" certificate on the PC, can do "enroll on behalf". 2. Another user("UserB") on the same PC can get "enrollment agent" certificate, but can't do "enroll on behalf", he get error "No certificates meet the application criteria" 3. Then "userA" can get get "enrollment agent" certificate on another PC, but can't do "enroll on behalf", he get error "No certificates meet the application criteria"

Solution was to check NTAuth store. And if it is empty for that user than you can't enroll on behalf. You must import in local NTAuth store isssuing CA certificate. To do it automaticaly you must change Domain Group policy and allow automaticaly enroll in Computer configuration section. Br, Kaspars

In my situation NTAUth is correct on both computers.