none
CA autoenroll not working

    Question

  • Hi,

    I´m having hard time to find a solution to my problem. First of all a bit background description to get the bigger picture about what I´m doing.

    I have 3 Domain Controllers: 2x Windows Server 2003R2 SP2 (AD1, AD2) and 1x Windows Server 2012 (AD3). PDC and all FSMO roles are at Windows Server 2003R2. The migration proccess to Server 2012 is my next mission after getting PKI to work.

    I have 3 CA Servers: (Offline Root CA - non-domain; Issuing CA - domain, Revocation CA/OCSP - domain). All Server 2012.

    The problem is that autoenroll for computer and user is turned on and from rsop I can see that GPO is working. But what is happening is when I use gpupdate /force (or restart) then no Certificate is requested. At the same time when I´m using mmc and request certificate manually then everything is working and certificate is requested. I have tried to turn off all the firewalls from all the computers. I can´t see any denial from Cisco firewall so all the traffic is allowed. From client computer I have tried certutil -pulse but no use. Event viewer is showing me: 

    Certificate enrollment for DOMAIN\user is successfully authenticated by policy server EVENT ID 65
    Certificate enrollment for DOMAIN\user successfully load policy from policy server EVENT ID 64

    I have done the same thing and policy in many organisations and everything is working like a charm. Now I don´t undestand what is wrong or what am I missing. Is there anything I can do to monitor what is wrong.

    Any help would be appriciated,

    Taavi

    Friday, October 25, 2013 10:24 AM

Answers

  • Hi!

    The problem has finally found a solution! As our IT management team is large then turned out that it was Cisco ASA problem. Everyhting started to work right after Cisco ASA Firmware upgrade was done to the latest version. As we have two other Cisco ASA firewalls in other location that have penultimate firmware version and there autoenrollment is not working then it means that it must be the very latest one to get that work. It seems that something is very changed in RPC protocol or somewhere else that Cisco can´t handle even if you use any-any rules and turn all Security layers off! We checked the wireshark and tcp dumps from all network devices we have between machine and servers and turned out that Cisco ASA was the problem point between machines and servers. It just lost the CA respond packages. Even though it let past request package from machine! So weird situation and lot of time to waste but at last the solution was in Network device :)

    Hope that it will help someone in the future!

    • Marked as answer by TaaviSa Thursday, July 24, 2014 6:26 AM
    Thursday, July 24, 2014 6:26 AM

All replies

  • Did you add the appropriate permission to the correct security groups on your certificate template?

    for auto-enrollment, you need Read, enroll, autoenroll

    Are the certificate templates available on your CA ?

    rgds

    Johan


    Johan Loos

    Friday, October 25, 2013 11:45 AM
  • Hi,

    Thank you for your replay!

    I have all the correct security settings in security tab. I have tried it in many ways. First of all using Global Group where is "Domain Computers" inside the group and just Domain Users alone. All the certificates are available as I can enroll them manualy. Only autoenroll is not working.

    Can anybody describe how autoenroll work in detail. I mean who is asking certificates from who? Does Windows Client asks certificates directly from caissuing server or does DC do that? I publish my users certificates to AD as well but no certificates gets there if I autoenroll. If I do it manually then certificate appears and everything is working. 

    Very weird situation :S

    Taavi

    Friday, October 25, 2013 12:06 PM
  • checkout the following link:http://technet.microsoft.com/en-us/library/cc787781(v=ws.10).aspx

    depending on which group you add to your certificate template, you need to be sure that the GPO is configured for auto-enrollment and that the GPO is linked to the appropriate OU


    Johan Loos

    Friday, October 25, 2013 12:32 PM
  • Hi Taavi,

    Is this issue solved by now?

    If it is, would you please share out the solution? That would be very beneficial to other people who have the similar problems.

    If the problem still exists, would you please tell us which Event IDs were logged in the Event logs?

    Here are some related links below that could be helpful to you:

    Auto-Enrollment Problem

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/723c6d03-ae66-4272-aae9-b80cc607f71c/autoenrollment-problem?forum=winserverGP

    Certificate Autoenrollment, Windows 2008 Active Directory and Issuing Certificate Services Server

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/38499c50-d706-4afc-a8b7-4d9bcd614bfb/certificate-autoenrollment-windows-2008-active-directory-and-issuing-certificate-services-server?forum=winserversecurity

    Troubleshooting Autoenrollment

    http://blogs.technet.com/b/xdot509/archive/2012/10/18/troubleshooting-autoenrollment.aspx

    Best Regards,

    Amy Wang


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forum a great place.

    Monday, October 28, 2013 3:27 AM
  • Hi,

    Unfortunately I haven´t got this to work. I still have this situation where I can request certificates manually but auto-enrollment is doing nothing. 

    I have tried certutil -ping -config CA and it´s working fine
    I have tried certutil -catemplate -config CA and it´s working fine

    In Client computer I have Event ID 6 "Automatic certificate enrollment fod DOMAIN\user failed (0x8007003a) The specified server cannot perform the requested operation". 

    But this error only occurred once in the morning. After that I can see Event ID 64 and 65 - "Certificate enrollment for ... successfully load policy from policy server". 

    I have no idea where the bug is. I have the correct security permissions, DCOM options, templates. 

    Can there be some template version issues or something like that? I have Windows Server 2003R2 DC but I don´t know how much that can be the issue. CA is 2012. Weird is that even no servers autoenrolled certificates. Usually DC`s requested Cerst as soon as it was possible. Now DC´s did not requested cerst so no certificates were published to DC´s. I had to do it manually. 

    I wanted to add that we have one more PKI solution here which I want to decomission after new PKI is on the place. So at the moment we have 2 PKI hierarchies but they are not connected in any ways. So that should not be the problem - or does it? Both CA´s are figured in AD Sites and Services.

    So if anyone have some idea what to do then I´m appriciated.

    Taavi

    Monday, October 28, 2013 9:17 AM
  • Hi Taavi,

    Would you please tell us which certificate template you are using?

    Version 3 certificate templates can only be used by client computers running Windows Server 2008 or Windows Vista .

    Also, please make sure that Auto Enrollment is turned on by checking the following registry key :

    HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy

    If the DWord value is 7, then the Auto Enrollment is turned on :

    Here are some related links below I suggest you refer to:

    Certificate Templates Overview

    http://technet.microsoft.com/en-us/library/cc730826(v=WS.10).aspx

    Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)

    http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx


    Best Regards,

    Amy Wang

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forum a great place.

    Thursday, October 31, 2013 3:36 AM
  • Hi!

    I have seen that link before. I have allmost the same lab for testing purposes and there everything is working. Only different is that I don´t have Windows Server 2003 R2 Domain Controllers in my test lab. 

    In my test lab W7 client that is autoenrolling certificates as it should does not have reg key: HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy. As well my live environment don´t have that key. But if I do rsop then I can see that policy is working and settings are enabled. And from the event view I can see the autoenroll errors! So it seems that GPO is working. If I change my gpo not to autoenroll then rsop is changed as well... 

    I have tried to use many different templates! Default v1 computer and user templates and custon v2 templates. non of them working. I can see from the client regedit that certificate templates are cached and downloaded correctly. And from the client event view I can see that template is changing when I change it from CA. So all seems to be working as it shoud exept no certificates are in the store and no certificates are issued until I enroll it manually. I think there may be some problemst with Domain Controller 2003/2012. I dont know exactly what can be the problem but it seems like that. I try to use wireshark in my lab environment to see what traffic is used. And then try the same thing in my live environment to see if the traffic is the same. But all that takes some time :( Maybe anybody can give some more advice about what to try or what to look for?

    Taavi

    Saturday, November 02, 2013 3:25 PM
  • Hi!

    I´m just wondering that if I have OCSP server then what certificates are needed by OCSP server? I enrolled OCSP signing Certificate but somehow it´s gone after while. But from the Issuing CA I can see that certificates are enrolled automatically to revocation CA server. 

    In my certificates I don´t use internal AIA or CDP paths. I use something like "http://validation.domain.com/cert.clr" etc. Does this can make any difference? All certificates are enrolled using Server Common Name which is not as I defined in AIA or CDP. I mean when I enroll certificates to that server then do I need to add that validation.domain.com extension there aswell?

    The second thing that I noticed is when I´m exporting any certificate, published by my Issuing CA, are verified normally when I use command "certutil -url cert.crt" and trying to verify in different modes (AIA, CERT, OCSP). All working fine. But when I use command "certutil -urlfetch -verify cert.crt" then it´s like in loop... It just keep rolling information until the windows just hangs and i need force it to close. It deffinately don´t have to do that but I can´t understand where the problem is. Maybe it´s OCSP or something from that side?

    Taavi

    Monday, November 04, 2013 11:44 AM
  • You just need to have the available path for CDP/AIA, OCSP or not doesn't matter. It may take time because it's trying to retrive the path that's inaccessiable. OCSP issues can occur due to various causes. I don't think Forum is a good channel to troubleshoot it. Please contact Microsoft Commercial Technical Support for further troubleshooting.

    For enabling Auto Enroll, you need to complete the following settings:

    feature enabled in GPO (Computer or User conf part)
    Issue a certain cert
    Grant Autoenroll permission to Computer or User

    Regards, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Amy Wang_Moderator Monday, November 11, 2013 3:10 AM
    • Unmarked as answer by TaaviSa Friday, March 21, 2014 1:38 PM
    Friday, November 08, 2013 6:45 AM
  • Hi!

    I wanted to replay that this problem is still up. It was long time ago when I last tryied to fix the problem and now i´m back on that topic. I wanted to add that I have all the other cofiguration mentioned above and I found one weird thing. I have Windows 8.1 virtual machine just like the AD and CA are virtual machines. I have different VLAN´s AD is in let´s say VLAN2 and CA is in VLAN3. Now when I take that W8.1 virtual machine and put it into VLAN3 next to the CA server then autoenrollment is working. So the machine is getting the certificate and everything is OK. Now if I take the same virtual machine and put it into VLAN2 next to the AD then certificate is not enrolled and it´s not working! Even tough the group policy, machine and all other settings are the same on both VLAN´s. Between two VLAN I have Cisco ASA 5500 firewall - I have tested to turn off DCE/RPC and open any - any rules for testing. Not getting better. There is no log in firewall about blocking anything. So it´s weird situation. 

    Hope that this info can help you to help me :)

    Thank you!

    Taavi


    • Edited by TaaviSa Thursday, March 27, 2014 1:46 PM
    Friday, March 21, 2014 1:37 PM
  • Hi!

    The problem has finally found a solution! As our IT management team is large then turned out that it was Cisco ASA problem. Everyhting started to work right after Cisco ASA Firmware upgrade was done to the latest version. As we have two other Cisco ASA firewalls in other location that have penultimate firmware version and there autoenrollment is not working then it means that it must be the very latest one to get that work. It seems that something is very changed in RPC protocol or somewhere else that Cisco can´t handle even if you use any-any rules and turn all Security layers off! We checked the wireshark and tcp dumps from all network devices we have between machine and servers and turned out that Cisco ASA was the problem point between machines and servers. It just lost the CA respond packages. Even though it let past request package from machine! So weird situation and lot of time to waste but at last the solution was in Network device :)

    Hope that it will help someone in the future!

    • Marked as answer by TaaviSa Thursday, July 24, 2014 6:26 AM
    Thursday, July 24, 2014 6:26 AM