Monday, June 18, 2012 8:42 AMI've created certificate template using "Computer" one as a source in certificate templates, then created "issuing certificate template" in CA certificate templates section, I already can ask for this certificate manually through mmc on local PC. But what i cannot is to set this sertificate template in group policy "certificate autorequest settings" --> create "new certificate autorequest" and theres no template with the name i given. From what i know i cannot use "Computer" template for autorequests as users/computers mentioned in security tab of it dont have all the privileges needed, i.e. read/issue/autoissue. repadmin'd gpupdate'd , dunno what else.
Monday, June 18, 2012 10:22 AM
Automatic Certificate Request (aka ACR) can handle only version 1 templates. If you are using version 2 (3 and 4), you need to configure autoenrollment group policy:
Monday, June 18, 2012 11:04 AM
I have done that already for both computer and user policies. So it is kinda not working or ? The new machine certificate i made was given to several random machines, members of different organization utins and different domain groups, same with several EFS certificates for users. I added all the groups needed to CERTSVC_DCOM_ACCESS, also checked that the users inside these groups match its type, honestly checked everything, issuing certificates manually to the workstations works without any probs. But i also cant issue personal certificate for my PDC (CA is located on secondary DC) It says - "The certificate request failed because of one of the following conditions: -The certificate request was submitted to a CA that is not started(not true at all) or -You do not have the permissions to request certificates from the available CAs. Again the pc is PDC and user im logged with has all the domain admin roles. Vadims - ure my only hope. Another thing that is confusing me, previous to adding secondary 2008 r2 DC to the domain, i ofc forest/gp/domain prepped, but if i click on domain properties it says :
-domain functional lvl: Windows server 2003
-forest functional lvl: Windows 2000
when it should be 2008, or should it actually ? does it matter ?
Monday, June 18, 2012 12:41 PMOk, i found a moment to reboot the PDC. Right after restart it has got all the personal certificates it shouldve. But autorequest from workstations still doesnt work. And yes im sure, creating the certificate i gave all the rights(read/issue/autoissue) to "domain computers", and yes all pc's in the corresponding OU are members of "domain computers" group ...
Monday, June 18, 2012 6:09 PM
you should link a GPO with configured autoenrollment to a domain level. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.
Clients will automatically apply the GPO only after group policy refresh. You can manually initiate autoenrollment trigger by running the following command:
the error "The certificate request was submitted to a CA that is not started" may indicate that you have incorrectly decommissioned previous AD CS installation.
- Marked As Answer by eeluve Tuesday, June 19, 2012 6:19 AM
Tuesday, June 19, 2012 6:19 AM
Vadims, you are the best. Yes, that was probably kinda simple, though there are some differences between 2003 and 2008 and i honestly did expect default policy to affect my "machines" GPO aswell. Thank you, really. Maybe last question, could i now enable ipsec trough these certificates ?
Ok, ill create new topic in "security" section so that it would be more visible.
- Edited by eeluve Tuesday, June 19, 2012 7:39 AM