none
Auto enrollemnt setting not beeing published via GPO

    Question

  • Hi!

    I am starting to verify computer by wired 802.1x authentication against RAIDUS server, which runs on win2008r2. My clients are win7 but not whole GPO are aplied to them. The first portion (run wired AutoConfig service, and appropriate setting are done fine, but I am unable to publish certificate GPO to client.

    GPO looks like:

    Policy Setting
    Automatic certificate management                                                                               = Enabled
    Option Setting
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates
                                                                                                                                        = Enabled
    Update and manage certificates that use certificate templates from Active Directory = Enabled

    Public Key Policies/Trusted Root Certification Authoritieshide

    Policy
    Allow users to select new root certification authorities (CAs) to trust = Enabled
    Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria = Registered in Active Directory only


    • Edited by vlad669 Thursday, May 24, 2018 9:29 AM
    Thursday, May 24, 2018 9:27 AM

All replies

  • Hello,

    Did you check the right you have on the template computer use for autoenrollment ?

    Best Regards,

    Thursday, May 24, 2018 12:43 PM
  • I dont clearly understand, I am a pretty new at those things. Can u be more specific? thx

    Friday, May 25, 2018 6:36 AM
  • I have modified GPO with reg key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\AutoEnrollment AEPolicy =  7 and now its working like a charm. But I am not sure, whether its 100% with these settings.
    • Edited by vlad669 Friday, May 25, 2018 8:00 AM
    Friday, May 25, 2018 7:54 AM
  • Below what you need to check

    • Launch the certificate authority mmc
    • Unfold your PKI server
    • Right click on Certificate Templates and click on Manage (This will launch the Certificate Template console)
    • Right on the certificate template your computer use for autoenrollment and go to Properties
    • Go in Security Tab and verify that you have Read, Enroll and AutoEnroll for the security principal (Based on your configuration maybe your computer which need the certificate are part of a group or maybe you are using authenticated users default or like below Domain Computers)

    Best Regards,

    Friday, May 25, 2018 8:08 AM
  • these settings are as same as mine (and its now working without modifing REG key)
    Friday, May 25, 2018 8:35 AM
  • Great,

    Please don't forget to mark it as answer to help the community :)

    Best Regards,

    Friday, May 25, 2018 8:38 AM
  • sorry, I miss typed ....Its still NOT working without modifing REG settings
    Friday, May 25, 2018 8:49 AM
  • Ok,

    Did you try to split the GPO into 2 GPOs ? One for 802.1x and another for AutoEnroll ?

    Best Regards,

    Friday, May 25, 2018 8:54 AM
  • now I tried with no effect, Auto-enrollment takes no effect, very strange
    Friday, May 25, 2018 9:06 AM
  • but reg key HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy with value 7 

    0x00000007

    Enabled, Update Certificates that user certificates templates configured, Renew expired certificates, update pending certificates, and remove revoked certificates configured

    is equal to GPO created via GUI. So I think, we can close this thread and mark as SOLVED :)


    thx for cooperation ;)
    • Edited by vlad669 Friday, May 25, 2018 9:23 AM
    Friday, May 25, 2018 9:23 AM
  • Ok,

    No problem

    Best Regards,

    Friday, May 25, 2018 9:28 AM
  • Hi Vlad,

    Looking at it: The GPO setting being correct, but not giving the right result. However, if you set the registry value the GPO was supposed to set manually, it does work. That leads me to believe the GPO was not applied correctly.

    A good way to start troubleshooting there would be to do a Resulting Set of Policy on the affected machine(s), either through rsop.msc or gpresult. Either will give you which GPO settings are applied and where they come from. So you can look up this setting and see what happens.

    Kind Regards,

    Friday, May 25, 2018 1:53 PM
  • Thx for your answer, on gpresult /r a see this output

    Applied Group Policy Objects
    -----------------------------
        WSUS
        UAC
        disable IPv6
        SAP_LOGON
        dot1x client
        Global XYZ GPO
        Default Domain Policy

    dot1x contain all setting in GPO which are mentioned above.

    If i run rsop.msc i see, policy WAS pushed to affected client but when im going to check it trought gpedit.msc no setting about auto enrollment were applied.

    I checked trought these policies if there is forced NOT TO APPLY autoenroll, but I didnt find anything like that.


    • Edited by vlad669 Wednesday, June 06, 2018 9:39 AM spell correction
    Wednesday, June 06, 2018 9:38 AM
  • Hi Vlad,

    This is getting more interesting. What the group policy does is apply the registry settings. What you describe should have the same result.

    Have you looked up the precise autoenrollment policy settings in your GPResult output? It should tell you the winning setting as well as which GPO was the winning one.

    Kind Regards,

    Tuesday, June 12, 2018 7:43 AM