Recursos para Profesionales de TI >
Página principal de foros
>
Configuration Manager Internet Clients and Native Mode
>
Client Certs Aren't Created
Client Certs Aren't Created
- Hello,
I am trying to move my site to native mode. I have completed everything required with respects to the certificates on the Site Server. However, I created a policy that should make the client computers get a certificate from the CA I created on our one AD server. But when the policy is applied, there is no certificate. I did notice that in the certificate there is no CA specified. However, there was no place to put in a CA, so now I'm stumped. Any ideas?
The CA is running Windows Server 2003 Enterprise R2 as an Enterprise CA. I followed the directions here: http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_client. My clients are not always in the network, which is why I would like to configure IBCM. I originally posted this in the CM General Forum, but I moved it here because this forum better fits my issue.
Thanks.
Respuestas
- http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx
The Group Policy setting they tell you to change is what did it. Thanks.- Marcado como respuestacgehr martes, 14 de julio de 2009 17:01
Todas las respuestas
- Hello,
I am trying to move my site to native mode. I have completed everything required with respects to the certificates on the Site Server. However, I created a policy that should make the client computers get a certificate from the CA I created on our one AD server. But when the policy is applied, there is no certificate. I did notice that in the certificate there is no CA specified. However, there was no place to put in a CA, so now I'm stumped. Any ideas?
Thanks.- CombinadoYvette OMeallyMSFT, Propietariolunes, 06 de julio de 2009 20:15duplicate thread
- Time to step back and describe your environment first.
Do you have an enterprise CA? Is it installed on Enterprise edition of Windows? What version of Windows is the CA installed on?
Where on the client are you checking for certificates and how?
When you say "I did notice that in the certificate there is no CA specified" what certificate are you talking about?
Do you plan to use IBCM?
Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys - The Enterprise CA is installed on one of our AD servers that is running Windows Server 2003 R2 Enterprise Edition. I am looking for the cert through the Certificates MMC console, and I believe that Group Policy will add the cert to Personal Certificates in Computer Account: Local Computer area. Assuming by IBCM you mean Internet Based Client Management, then yes, we do hope to manage clients over the internet because 100+ of our computers go home daily and over weekends. The cert I was talking about there was the Client Cert that was supposed to be pushed to the clients. In there, there is a little box that says Certificate Authorities, but there are no cert authorities there.
Thanks, I have the CA's Cert installed in my Trusted CA's Cert Store on my personal computer, and it still won't go.
- Did you configure a group policy to auto-enroll clients for certs?
Did you create custom template for the clients or are you using a built-in one?
On a side note, have you planned your CRLs from internet publication?
Do your laptops come into the office every day without any extended stays away? If so, you may want to stay with mixed mode and avoid the overhead of native mode and IBCM.
Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys - Yes - the group policy object was only active on my test OU at first, which is where the issue is at currently. I don't want to put the policy into the other OU's until I can confirm it works.
I did not create a custom template for this - I just used the standard Computer Cert as mentioned here: http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_client
The only preparations I have made so far are the certificates. When I got halted there, I stopped other preparations.
Over the summer, about 100+ laptops leave the network for about 3 months (school environment), so we would need to be able to manage them even when they aren't inside of the network. During the school year, they will be in and out every day.
Thanks - When you say "I created a policy that should make the client computers get a certificate from the CA I created on our one AD server. But when the policy is applied, there is no certificate." - are you referring to configuring Group Policy and the Automatic Certificate Request Settings?
Have you confirmed that Group Policy is working for these client computers? For example, if they are not authenticating in the domain correctly, Group Policy will not be applied. If you use the Certificates MMC snap-in on one of these client computers, do you see your root CA certificate listed in the local Computer store, Trusted Root Certification Authorities?
You could also try requesting the client certificate from the Certificates MMC snap-in, using the same steps as for the Web server certificate only selecting the client certificate this time. If this doesn't work either, check that the client computer has Read and Enroll permissions to the certificate template, that the certificate template is published on the CA, and try rebooting the client computer.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - Yes, I am referring to GP and the ACR Settings. Group Policy has to be working, because it has not worked on any computers that I have tried it on yet. We use Group Policy for pushing out the CM Client and many settings, and they all work when the policy is updated.
Part of the Policy Object I created to request the certificate is to add the CA to the list of Trusted Root CA's, which works. We also have several others that appear in that list for other purposes.
I'll try to do what you said with requesting the Cert manually, but we have over 2000 computers that will need a certificate, and it will be a HUGE pain to try and do that on each computer.
Thanks, - With an enterprise CA, you shouldn't need to add the CA to the list of Trusted Root CAs with Group Policy - computers in the forest should get this automatically. This Group Policy setting is designed for CAs that are external to your network, or standalone root CAs in your network.
Good to hear that Group Policy is definitely working though - there are many moving pieces to certificate autoenrollment so it's good to identify what works and what doesn't. I wasn't suggesting that you install all your client certificates manually, but use this as a means of narrowing the scope for troubleshooting. If this method doesn't work either, you might get a more helpful error message. However, if it does work, we know the problem isn't with the certificate template itself.
One other thing - is there anything in the event logs that might identify a problem with the certificate automatic request using Group Policy?
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - If you open the CA console, have any certificates been issued at all? If not, are there any errors in the windows event logs on the CA?
Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys - crypt32 is reporting several errors, but they don't appear to be certificate based. KDC is reporting many errors about authentication errors, but they don't specify any cert-based items. The only certs that have been issued are 1 CA Exchange and 1 ConfigMgr Web Cert.
- Nothing in the event logs shows anythings about certificates - unless KDC and crypt32 are related?
I just tried to use the Certificates MMC Console to request the cert manually, and it worked. The CA shows an issued certificate.
Thanks - I see you've posted the same issue in two forums - it must be difficult keeping track of both. Where you would like responses, in this forum or the native mode forum? Other thread here: http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/4596692a-4aa0-4e46-9bd8-2494d2523ed1
- I'd like to keep the one in Native Mode, as that seems like a more specific place to put it. Thanks!
- OK, we've merged the thread from the General forum into this thread. So to recap all posts (and correct me if I'm wrong):
* You're using an Enterprise CA on Windows Server 2003 R2 Enterprise Edition.
* You've successfully installed the Web server certificate (and the site signing certificate?).
* You used the default Computer certificate template and Automatic Certificate Request with Group Policy, and linked this GPO to a test OU only, but clients in it don't install the certificate even after rebooting and waiting a while - but nothing seems to be logged to indicate any errors.
* The certificate does install when you manually request it using the Certificates MMC - so this means it can't be a problem with the certificate template permissions or computer authentication.
* You've confirmed that Group Policy in general is working on your network, so it's not a Group Policy problem unless it's specific to installing certificates or this specific GPO.
Have you run RSoP on a client in the test OU to make sure it's definitely getting and processing the GPO for the automatic certificate enrollment? Try setting something else in this GPO, such a computer startup script or the default wallpaper that's easy to test and confirm. Have you tried more than one computer in this test OU? Have you tried deleting this GPO and following the configuration steps again in case it didn't link properly or something similar?
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - I have not run RSoP. However, I can confirm that the object is working because the Enterprise Trust Cert I added to that same object did get pushed to the client. However, I'll try something else tomorrow to make sure it does work. I have tried multiple clients, but I'll also try re-creating the object.
Thanks for all your time. - OK. It sounds from everything you've said that you've configured this correctly, so if it still doesn't work I think it's time to call in CSS, or ask for help in the Security forum where they specialize in Certificate Services (http://forums.technet.microsoft.com/en-US/winserversecurity/threads/) and should be able to suggest more detailed troubleshooting.
I have heard of situations where the client side extensions can prevent certificates from installing via Group Policy (I assume because the files are corrupt or incompatible versions) but I don't know enough about how or why this happens - which was one reason for suggesting a different client (preferably a different client platform). You might be asked to try autoenrollment rather than automatic certificate request, but this uses the same client side extensions in Group Policy, just using a slightly different mechanism. If you want to try this, follow the instructions for the client certificate only, in the step-by-step for a Windows Server 2008 CA (http://technet.microsoft.com/en-us/library/cc872789.aspx#BKMK_client2008) - it works equally well with Windows Server 2003 CA. In my experience however, this method always seems to take a little longer to install the certificate, although I've never understood why. So be prepared to wait a while before checking after the reboot, just to be sure.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights I created a new GPO and tried the settings again, and it still doesn't work. I did a gpresult and it says the policy was recently applied, and it showed my autoenroll GPO in the list of applied objects.
- Then the advice in my previous response stands - I think we've taken this as far as we can in this forum in helping to narrow down the problem and confirm from our experience that everything seems to be configured correctly. I'm sorry we can't help you further but Certificate Services is owned by a different product group to the one that owns this forum, and as such, we're not experts in this area when it comes to detailed troubleshooting. Unless any other Configuration Manager customers have solved similar problems for automatically installing certificates with Group Policy when requesting them manually through the Certificates MMC works, then I think your best bet at this point is CSS - or the Security forum.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Desmarcado como respuestacgehr martes, 14 de julio de 2009 17:01
- Marcado como respuestaCarol BaileyMSFT, Moderadormartes, 07 de julio de 2009 21:45
- Ok. Thank you.
- http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx
The Group Policy setting they tell you to change is what did it. Thanks.- Marcado como respuestacgehr martes, 14 de julio de 2009 17:01
Which Group Policy setting exactly, that isn't in the step-by-step instructions? This link uses autoenrollment rather than the automatic certificate request method, which something I suggested you tried as an alternative.
