Auto-enrollment problem

Ask a question

Friday, June 15, 2012 10:16 AM

0
Hello,

I have a very strange problem with auto-enrollment.

The thing is that auto-enrollment is working in a AD Site where CA Issuing server is installed. In other sites auto-enrollment is not working, but when you request cert using MMC or over CA Web everything works fine.

We have 3-Tier PKI Implemented.

Just to add, on our firewalls everything is opened. Literally ANY ANY is allowed.
- Moved by AwinishMVP Friday, June 15, 2012 10:46 AM Moved to Security forum (From:Directory Services)
- Reply
- Quote

All Replies

Friday, June 15, 2012 10:24 AM

0

Hello,

please use rsop.msc to check if the GPO for auto-enrollment is applied from the clients. More details about GPOs please ask in http://social.technet.microsoft.com/Forums/en/winserverGP/threads?page=1

And for CA questions in detail please see http://social.technet.microsoft.com/Forums/en/winserversecurity/threads
Best regards

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Reply
- Quote
Friday, June 15, 2012 10:41 AM

0

Already done that.

Policies are applied to users and computers.
- Reply
- Quote
Tuesday, June 19, 2012 2:16 AM

Moderator

0
Hi,

It is a best practice to enable auto-enrollment on the Domain group policy level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists.

I hope the following link can give you some useful information:

http://blogs.technet.com/b/meamcs/archive/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates.aspx

--------------------------------------------------------------------------------

Regards,

Kent Huang

TechNet Community Support ************************************************************************************************************************

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
- Edited by Kent-HuangModerator Tuesday, June 19, 2012 2:17 AM
- Reply
- Quote
Monday, June 25, 2012 1:38 PM

0
I found out what was the problem. GPO were not applied.

One thing I found out is that if you dont have Recovery Agent in Default Domain Policy it doesn't work.

You can not create GPO with Recovery Agent.

Interseting...
- Marked As Answer by Kent-HuangModerator Tuesday, July 03, 2012 8:45 AM
- Reply
- Quote

Auto-enrollment problem

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?