How can I issue computer certificates for DCs in another forest
-
Thursday, May 03, 2012 8:53 PM
We have a small domain that is out side of our normal forest that we want to issue certificates to. We have a enterprise CA in our primary forest that we would like to use to issue the certificates. Our only goal is to enable SLDAP on these domain controllers, and it doesn't seem worth it to stand up a new CA to issue two certificates. Can we issue certificates to the domain controllers in a separate forest and if so:
- What certificates are needed for SLDAP (I am guessing I just need the Domain Controller Authentication template)
- Can I set up auto enrollment with a forest I don't trust (maybe using the issued certificate for authentication)
- Our Web Enrollment is not working. Is there another method I can use to obtain the certificate?
- Edited by Oldguard Thursday, May 03, 2012 8:55 PM
All Replies
-
Friday, May 04, 2012 3:16 AMModerator
Hi,
1. What certificates are needed for SLDAP (I am guessing I just need the Domain Controller Authentication template)
Do you mean secure LDAP?
By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article.
please refer this wiki: LDAP over SSL (LDAPS) Certificate(http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx)
2. Can I set up auto enrollment with a forest I don't trust (maybe using the issued certificate for authentication)
Cross-forest Certificate Enrollment Technical requirements
===========================================
1. Two-way forest trusts between a resource forest and account forests.
2. One or more enterprise CAs running on Windows Server 2008 R2.
3. Domain member computers in all forests running the following operating systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2For details steps, please refer the following articles:
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx
AD CS: Deploying Cross-forest Certificate Enrollment
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
3. Our Web Enrollment is not working. Is there another method I can use to obtain the certificate?
This feature applies to organizations that have public key infrastructures (PKIs) with one or more CAs running Windows Server 2008 and clients running Windows Vista and that want to provide users with the ability to obtain new certificates or renew existing certificates by using Web pages.
Hope this helps!Best Regards
Elytis ChengIf you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Elytis Cheng
TechNet Community Support
-
Friday, May 04, 2012 7:51 PM
So I worked through a lot of the issues, and now I appear to be at the very end of the process (still not working). I established a two way selective forest trust and worked through the issues of getting an account that could write changes to AD in the new forest and could read the configuration from the original forest that contains the CA. I got the templates copied over, gave the domain controllers in the new forest auto enrollment rights to the Kerberos Authentication template I created (copy of the originial). I also went into AD and gave the domain controllers in the new forest permission to authenticate with the CA. I can generate enrollment requests now, but I get an access denied message. I tried backing off the trust security (reset to a full forest trust), but that didn't help any. I see in the network trace that the domain controller is trying to make a DCOM call, but I cant tell what happens beyond that.
I don't see any errors on the CA itself, but I get the following on the domain controller requesting the certificates:
Certificate enrollment for Local system failed to enroll for a MYKerberosAuthentication certificate with request ID N/A from myca.mycompany.com\MYCA1-CA (Access is denied. 0x80070005 (WIN32: 5)).
-
Monday, May 07, 2012 6:44 PM
I found a trouble shooting guide that noted access to DCOM is controlled by a group on the CA. I didn't see that in the documentation above, and have tried adding the Domain Controllers group from our second domain to the CA's local Certificate Service DCOM Access group. That still didn't work, but it seems like another piece of the puzzel. At this point I have a two way selective trust and the Domain Controllers group has been given permission on the CA computer object to authenticate, and has been added to the CA's DCOM group.
Any other thoughts on what I might be missing?
This is the document I am using for trouble shooting:
http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx
- Edited by Oldguard Monday, May 07, 2012 6:51 PM
-
Monday, May 07, 2012 7:29 PM
I got a little bit further on this. Once I had added the domain controllers group from the second domain (our resource domain) to the Certificate Service DCOM Access group, I took another trace and noticed that the CA was trying to call back to the resource domain controllers looking for SPN information. This request was being denied because the selective trust does not allow this to happen. Since my CA is already in the Cert Publishers group in the resource domain, I granted Allowed to authenticate rights to the CA on the domain controllers in the resource domain. This changed the behavior so that I now get the following error...
Status: Request denied
The specified account does not exist.
Denied by Policy Module 0x8007208d, The requester's Active Directory Object could not be retried.I tried to delegate read all properties to the Cert Publishers group, but that does not appear to have resolved it.
Has anyone ever successfully enabled certificate auto enrollment when a two way selective trust is used?
-
Friday, May 11, 2012 9:17 AMModerator
Hi,
Please try to add Authenticated Users and INTERACTIVE to the builtin Users group to test.
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
- Marked As Answer by Elytis ChengModerator Monday, May 21, 2012 9:09 AM
- Unmarked As Answer by Oldguard Tuesday, May 29, 2012 1:54 PM
-
Monday, May 14, 2012 8:30 AMModerator
Thanks for posting in Microsoft TechNet forums.
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
-
Wednesday, May 23, 2012 2:39 PM
It is partially working. Autoenrollement isn't working, but I can issue certificates to the second forest. Auto enrollment on the CA wants to query AD from the requesting forest and doesn't have enough rights. I tried granting logon rights for the CA computer account on the domain controllers in the second forest, but that didn't do it. If I ever get to the point where I get it working and I can sort out what it really takes to make it work, I will post the solution here. I suspect that once I get it working, I will have a lot of wreckage in the system and may never be sure of which parts I need and which parts I shouldn't have put in.
-
Tuesday, May 29, 2012 8:34 AMModerator
Hi,
Have you deploy the Cross-forest Certificate Enrollment following the link I mentioned?
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
-
Tuesday, May 29, 2012 1:54 PM
Those where the documents I used. I am sure I have missed something though. I went back through and checked everything. I can copy the templates fine, so I think I have the correct rights for my user account. I have mapped the domain users, domain computers and domain controllers groups to the CA's computer object and given them permission to authenticate. I have also added the CAs computer account onto the computers that I want to issue certificates to in the other forest so authentication works that way. When I request certificates I get the following error, which I attibute to the CAs ability to get information from AD in the other forest.
Active Directory Certificate Services denied request 300 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for XXX\VXXXDC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=VxxxDC1,OU=Domain Controllers,DC=xxx,DC=domain,DC=local ldap: 0x20: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=local' -
Tuesday, May 29, 2012 1:58 PM
I also get the following error message in the event log of the CA every time the system fails to issue a certificate. Referrals are enabled, but I don't think they are working.
The "Windows default" Policy Module logged the following warning: Active Directory Certificate Services is configured to use LDAP referrals to request user data from the Active Directory directory service.
-
Wednesday, May 30, 2012 9:27 AM
1. Please let me know how you request the certificate, mmc or web, and then get the error message.
2. Do all the ceritificates encounter the same errors?
3. Does AD replication work well in your domain?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Wednesday, May 30, 2012 1:13 PM
1) The problem only exists when using auto enrollment from the second forest. Auto enrollment from the same forest as the CA works fine. Manual enrollment from the MMC works fine from the second forest, but I have to use a template that allows me to configure the CN and DNS name. I am pretty sure the problem is that the CA is having problems getting that information from the second forest.
2) Any auto enrollment certificate in the second forest gets that error. Both domain controllers have the same issue consistently.
3) AD replication is fine. Repadmin /replsummary on both domains shows no errors. We have only one site. The first domain has three domain controllers and the second forest has two domain controllers. I also did a repadmin /showutdvec on each domain controller for the configuration container and the domain container itself and we could not look better.
I am pretty sure that when the DC in the second forest calls the CA for a certificate, the CA tries to look up the information necessary for the certificate through Active Directory. My packet trace does not show an LDAP query, so I don't see the CA making a call out. The certificate is not being issued because the CA cannot find the domain, or is not finding the DC entry in active directory. Based on the error, I am guessing that it can't find the domain at all and refers to the closest match...
-
Friday, June 01, 2012 6:18 AMPlease ensure you have enabled the policy "Windows Settings\Security\Public Key Policies/Certificate Services Client - Auto-Enrollment " in the default domain policy.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Friday, June 01, 2012 5:19 PMAuto enrollment is enabled and I can see the requests going out. My CA is showing piles of rejected requests from the servers in the second forest.
-
Tuesday, June 05, 2012 6:28 AMWould you please help capture screen shots about all the error messages?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Thursday, June 07, 2012 8:20 AM
Hi,
Any update? Please drop me a note about the current status at your earliest convenience.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Thursday, June 07, 2012 3:19 PM
I don't appear to be smart enough to figure out how to add a screen shot. This is how it looks from the event viewer:
First the authentication happens to the CA
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 6/7/2012 10:09:30 AM
Event ID: 66
Task Category: None
Level: Information
Keywords: Classic
User: ddd\uuuuuuu
Computer: hhhhhhh.ddd.ddddd.ddd
Description:
Certificate enrollment for Local system is successfully authenticated by enrollment server hhhhhhh. ddddd.ddd\hhhhhhh-caThe next event we see is the rejection. This is the event from the requesting side.
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 6/7/2012 10:09:31 AM
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: ddd\uuuuuu
Computer: hhhhhhh.ddd.ddddd.ddd
Description:Certificate enrollment for Local system failed to enroll for a MyDomainControllerAuthentication certificate with request ID 423 from hhhhhhh.ddddd.ddd\hhhhhhh-ca (The specified account does not exist. 0x80070525 (WIN32: 1317)).
From the CA side, we see the following:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 6/7/2012 10:09:31 AM
Event ID: 53
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: hhhhhhh.ddddd.ddd
Description:
Active Directory Certificate Services denied request 423 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for ddd\ hhhhhhh$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=hhhhhhh,OU=Domain Controllers,DC=ddd,DC= ddddd,DC=ddd ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of 'DC= ddddd,DC=ddd'From my perspective it looks like the CA is asking the wrong domain for the account information.
- Edited by Oldguard Friday, June 08, 2012 4:32 PM Minor modification.
-
Monday, June 11, 2012 6:57 AM
Based on the error message, it seems that the CA cannot restrieve the information from the forest well.
If both DCs and CAs are running Windows 2008 R2, and the clients are running Windows 7. I suggest you can export the related AD information (CN=Public Key Services) from A forest, and then import it to the B forest to implement the auto-enrollement.
Please let me know how you deloy cross-forest, and list the general steps.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Tuesday, June 12, 2012 1:42 PM
I use the PKISYNC.PS1 file to move everything each time I modify a template. Should that have already put me in sync between the two forests? I think the issue is the CA getting confused about where to go for the information, or is not getting to the information for some reason if it is going to the right place.
-
Wednesday, June 20, 2012 11:08 AMExperiencing exactly the same issue here; full 2 way forest trust between 2 2008R2 forests. Manual enrolment from the resource forest works fine but the autorenrolment fails for DCs as well as for clients. I also use the PKISync script to keep the forests in sync using a scheduled task. It looks like the integration with LDAP is not smart enough to look in the resource forest.
-
Wednesday, June 20, 2012 12:47 PM
I am getting to the point where I am pretty sure it is a bug, but I don't have a premier account so I don't have any way to escalate the issue. I know Microsoft keeps pretty close tabs on the forums, so I am hoping they will see this and look into a solution. My resource forest is small, so I can manually enroll and it works out for me. If I had a larger resource forest I would have a serious issue.
Just curious. My resource forest is a DNS sub domain of my primary forest that contains my CA. I am wondering if you have the same configuration. I am wondering if it is seeing that as one forest because the resource is a sub domain but still a seperate forest. If I had named the resource forest something totally different I am wondering if that would have made a difference. For example:
If you have a forest named: MyDomain.Local and a resource forest named Testing.MyDomain.Local does that cause an issue. Would it have worked if I had change the resource to Testing.Local?
Just a guess.
-
Wednesday, June 20, 2012 2:05 PMInteresting point. I too have the setup of a contiguous namespace but 2 different forests. Unfortunately no premier support here either. Lets hope someone from Microsoft is watching.
-
Sunday, January 20, 2013 7:43 AM
Same problem here with the same forest setup. Has anyone found a solution/workaround?
I too believe this is a bug with this kind of forest setup. The CA queries the wrong directory server:
Active Directory Certificate Services denied request 66 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for DOMAINB\DOMAINB-DC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=DOMAINB-DC1,OU=Domain Controllers,DC=domainb,DC=domaina,DC=test,DC=net ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domaina,DC=test,DC=net'
If the CA would have queried the right directory, the above message should end with
.. best match of: 'DC=domainb,DC=domaina,DC=test,DC=net'
-
Sunday, January 20, 2013 6:06 PM
Same problem here with the same forest setup. Has anyone found a solution/workaround?
I too believe this is a bug with this kind of forest setup. The CA queries the wrong directory server:
Active Directory Certificate Services denied request 66 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for DOMAINB\DOMAINB-DC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=DOMAINB-DC1,OU=Domain Controllers,DC=domainb,DC=domaina,DC=test,DC=net ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domaina,DC=test,DC=net'
If the CA would have queried the right directory, the above message should end with
.. best match of: 'DC=domainb,DC=domaina,DC=test,DC=net'
I can confirm that the setup is working perfectly with forests that don't share a namespace. Using
dc=domaina,dc=test,dc=net and dc=domainb,dc=test,dc=net
works as expected.
The CA is definitly querying the wrong directory when requesting a certificate from a forest domain whose namespace is below the forest domains namespace the CA is installed on.
Requesting a certificate from a domain in dc=domainb,dc=domaina,dc=test,dc=net on a CA that is located on domain dc=domaina,dc=test,dc=net will result in the CA quering dc=domaina,dc=test,dc=net for the requesting computer object from dc=domainb,dc=domaina,dc=test,dc=net
Hello Microsoft... anyone!? Some ideas?
- Edited by coboluxx Sunday, January 20, 2013 6:10 PM
-
Monday, January 21, 2013 1:45 PM
Hi,
please reopen this thread as this is still an issue. It would be very helpful to know if this is an unsupported scenario or a bug within the CAs directory lookup. As we have multiple forests on a namespace below the forest hosting the CA and used in production I would appreciate your help.
Please see the last two posts on this thread for details.
Best regards,
Marcus
-
Monday, January 28, 2013 5:50 PMNever was able to fix this. I don't even have a work around. Would like to see this addresed, but all I can do is say the problem continues.
-
Monday, January 28, 2013 6:18 PM
I have tried to get a response by opening a new thread on this issue:
Unfortunately without an answer so far.
Today we've opened a support case with Microsoft. Maybe we will get an answer soon.
-
Wednesday, February 06, 2013 2:00 PM
Take a look here for a solution to this issue:
.png)
