none
Windows Server 2012 CA will not allow Windows XP to autoenroll

    Question

  • I have a Windows Server 2012 Domain Controller with an Enterprise root CA installed.  I have created a client authentication certificate template (2003 compatible).  Domain Computers have Read, Enroll and Autoenroll permissions.  I modified the Domain Policy to enable Certificate autoenrollment.  I have two clients on the same subnet with the domain controller, one Windows 7 Ent SP1 and one Windows XP SP3.  The problem:  Windows 7 reboots, has client auth cert installed in computer's personal cert store.  The Windows XP machine cannot acquire the certificate.  Event ID 13, source is AutoEnrollment, 0x80094011,The permissions on this certification authority do not allow the current user to enroll for certificates.  Both machines belong to the domain.  Running gpudate /force on the XP machine generates an info event stating that the computer security policy has be applied successfully, then the autoenrollment error.  I've setup autoenrollment dozens of times without any problems.  The only thing different in this environment is that the CA is installed on Server 2012.  I could be something else, but the only real difference is Server 2012.  There are no errors on the server.  It is like the client just cannot talk to the server at all, but it's getting its policy from that server.

    Any ideas? 

    Wednesday, November 07, 2012 9:45 PM

Answers

  • Hi Thomas,

    Thanks for posting in Microsoft TechNet forums.

    We might need to check whether the "enhanced security setting" is enabled which can affect Windows XP client computers.

    For detail information, we can check the "Increased security enabled by default on the CA role service" part of the article below:

    What's New in AD CS?

    http://technet.microsoft.com/en-us/library/hh831373.aspx

    Have a nice day.

    Regards

    Kevin  
    Friday, November 09, 2012 6:40 AM
  • Hi Thomas,

    Are the Win7 and WinXP computers both logged into the domain with the same user credentials?

    Thanks,

    -Greg

    Friday, November 09, 2012 7:40 PM

All replies

  • Hi Thomas,

    Thanks for posting in Microsoft TechNet forums.

    We might need to check whether the "enhanced security setting" is enabled which can affect Windows XP client computers.

    For detail information, we can check the "Increased security enabled by default on the CA role service" part of the article below:

    What's New in AD CS?

    http://technet.microsoft.com/en-us/library/hh831373.aspx

    Have a nice day.

    Regards

    Kevin  
    Friday, November 09, 2012 6:40 AM
  • Hi Thomas,

    Are the Win7 and WinXP computers both logged into the domain with the same user credentials?

    Thanks,

    -Greg

    Friday, November 09, 2012 7:40 PM
  • Hi Greg,

    Sorry for the delay.  Yes, they are both logged into the domain with the same user credentials.

    Tom

    Thursday, November 15, 2012 1:39 PM
  • I've run across this exact same issue. I've got a test lab setup with the following. 

    Domain controller 2008 R2. 

    AD CS root 2012 standard (stand alone) 

    AD CS sub 2012 standard (domain member)

    Windows 7 sp1 workstation (domain member)

    Windows XP sp3 workstation (domain member) 

    Using a domain admin account logging into both workstations. 

    Windows 7 works fine, windows XP will not auto enroll the user or machine certificate. Same exact error that Thomas is getting. 

    I'm currently researching the issue here and have an email out to a Microsoft PKI specialist on the issue also. I'll post back if what info I locate. 

    Thursday, January 03, 2013 6:00 PM
  • Any updates on this Kelly?  I've got a virtual lab setup and while I have not verified with a non-XP client, this is the precise situation I'm in - server 2012 with CA configured, xp client failing to autoenroll.  I can't even manually request a certificate with a domain admin account, the wizard completes with a similar erorr.  I spent a number of hours reviewing different forum suggestions to no avail.  I must admit I'm kind of pleased by the fact that others are experiencing the exact issue, specifically with Windows XP, which suggests a specific security related issue that can perhaps be overcome.  I'm looking forward to hearing more about the cause of this problem.
    Tuesday, January 29, 2013 7:36 AM
  • http://technet.microsoft.com/en-us/library/hh831373.aspx

    What works differently?

    Windows XP clients
    will not be compatible with this higher security setting enabled by
    default on a Windows Server 2012 CA. If necessary, you can lower the
    security setting as previously described.

    Try run this command:

    certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
    Restart the certification authority
    net stop certsvc
    net start certsvc

    INFO FROM LINK:

    What value does this change add?

    The CA
    enforces enhanced security in the requests that are sent to it. This
    higher security level requires that the packets requesting a certificate
    are encrypted, so they cannot be intercepted and read. Without this
    setting enabled, anyone with access to the network can read packets sent
    to and from the CA using a network analyzer. This means that
    information could be exposed that might be considered a privacy
    violation, such as the names of requesting users or machines, the types
    of certificates for which they are enrolling, the public keys involved,
    and so on. Within a forest or domain, leaking these data may not be a
    concern for most organizations. However, if attackers gain access to the
    network traffic, internal company structure and activity could be
    gleaned, which could be used for more targeted social engineering or
    phishing attacks.

    The commands to enable the enhanced security
    level of RPC_C_AUTHN_LEVEL_PKT on Windows Server®  2003,
    Windows Server®  2003 R2, Windows Server®  2008, or Windows
    Server 2008 R2 certification authorities are:

    certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
    Restart the certification authority
    net stop certsvc
    net start certsvc

    If
    you still have Windows XP client computers that need to request
    certificates from a CA that has the setting enabled, you have two
    options:

    • Proposed as answer by Pawel.Jasinski Wednesday, March 06, 2013 12:49 PM
    Wednesday, March 06, 2013 12:46 PM
  • given that XP is now pretty much done with the extended support it might be time to retire it and move to Windows 7 for clients or even 8 if you software stack is compatible


    Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall.

    Hardcore Games, Legendary is the only Way to Play

    Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

    • Proposed as answer by Edwin Montoya Monday, April 07, 2014 3:21 PM
    Wednesday, March 06, 2013 1:52 PM
  • I had the same issue exactly (CA 2012, XP clients).

    This is the event I got on the XP machine:

    EnevetID: 13 (AutoEnrollment)

    "Automatic certificate enrollment for local system failed to enroll for one The-CA-TemplateName certificate (0x80094011).  The permissions on this certification authority do not allow the current user to enroll for certificates."

    lowering the Security level instantly solved the problem

    1. "certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST"

    2. "net stop certsvc & net start certsvc"

    3. on the XP Machine I initiated the AutoEnrollment process by running the following command:

    "certutil -pulse"

    After that on the XP Machine I got the following Event:

    EnevetID: 19 (AutoEnrollment)

    "Automatic certificate enrollment for local system successfully received one The-CA-TemplateName certificate from certificate authority "our Intermediate CA" on OurCAserver.ourCompany.com."




    Thursday, May 30, 2013 1:53 PM