none
ADCS - Smartcard User and Logon issuing problem

    Question

  • I've built Enterprise Root CA in my domain from scratch, made enrollment agent and issued cert for him. When i try to Enroll On Behalf Of... I can issue, for example Basic EFS or User certificate, but I can't issue Smartcard Logon or Smartcard User certificate. When I click enroll, I get following massage:

    Failed to install one or more certificates

    STATUS: Request denied

    The signature of the certificate cannot be verified.
    Error Constructing or Publishing Certificate The Request ID is x.

    On my client maschine, where I'm logged as enrollment agent, and from where I'm issuing certificates, in event log I get Event ID 13:

    Certificate enrollment for DZPANCEVO\enrollagent failed to enroll for a SmartcardUser certificate with request ID 14 from dc1.dzpancevo.org\dzpancevo-DC1-CA (The signature of the certificate cannot be verified. 0x80096004 (-2146869244)).

    On my CA server, I get Event ID 53:

    Active Directory Certificate Services denied request 14 because The signature of the certificate cannot be verified. 0x80096004 (-2146869244).  The request was for E=xxx@xxxxxx.org, CN=xxx xxxxxx, OU=xxxx, OU=xxx Users, DC=xxxx, DC=xxx.  Additional information: Error Constructing or Publishing Certificate

    I'm stuck here, we bought smart cards for all users in organization and they are all waithing for me to implement them. I'll appreciate any help.


    Monday, November 12, 2012 10:31 PM

Answers

All replies

  • There might be several possible causes for the ADCS Event ID 53.

    Event ID 53 — AD CS Certificate Request (Enrollment) Processing

    http://technet.microsoft.com/en-us/library/dd299871(v=ws.10).aspx

    Niko
    Tuesday, November 13, 2012 7:04 AM
  • ofc I checked that link (direct link from event viewer), passed all steps but nothing is wrong. I just dont understand this event id of this massage and this: The signature of the certificate cannot be verified. Does this mean that my enrollment agent certificate have problems?
    Tuesday, November 13, 2012 9:17 AM
  • I think this is because your smart card uses custom CSP and custom (non-RSA) algorithm to generate key pairs. To resolve this issue, smart card middleware (along with CSP) must be installed on all machines.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by bojantr Friday, November 16, 2012 2:22 PM
    Tuesday, November 13, 2012 11:21 AM