none
PKI Autorenrollment results in two certificates enrolled

    Question

  • We need to autoenroll certificates to our servers and clients to be used for RDS.

    The Auto-enrollment is set through "Public Key Policies/Certificate Services Client - Auto-Enrollment Settingss" where it gets deployed nicely.

    For RDS security we also have to set "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security" the certificate template.

    Unfortunately, when we set both settings we receive two times the same certificate from the same template and pki deployed! This polutes the pki when you want to serve a bunch of systems.

    Worth to mention, that this certs are equal in premises of template, pki and key usage - only differ in date of issue for about 10seconds.

    We also checked the debug output for certificate enrollment, and found that the first certificate is requested by the "svchost.exe" which is expected while the second one is requested by "taskhost.exe".

    Interestingly, if we delete both certs we receive then only one new certificate! That would suggest that the received cert is actually satisfying both GP settings...


    • Edited by universam Thursday, May 28, 2015 7:52 AM
    Thursday, May 28, 2015 7:49 AM

All replies

  • Hi,

    >>Unfortunately, when we set both settings we receive two times the same certificate from the same template and pki deployed! This polutes the pki when you want to serve a bunch of systems.

    Based on the description, if we try to temporarily disable the RDS security setting, will this kind of situation persist?

    Besides, we can try to enable auditing to check if more information can be found about the request of the certificate.  

    To enable auditing, we need to enable the following policy setting:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access

    and then, we navigate to CA server in CA management console, right click it and choose Properties, go to Auditing tab, and tick the option Issue and manage certificate requests.

    Regarding auditing Certification Services, the following article can be referred to for more information.

    Audit Certification Services

    https://technet.microsoft.com/en-us/library/dd772671(v=ws.10).aspx

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 29, 2015 3:32 AM
    Moderator
  • Based on the description, if we try to temporarily disable the RDS security setting, will this kind of situation persist?

    Hi, thanks for pointing that out. Thats the key point, when we disable / remove the RDS security settings, the double enrollment will not occour, we will retrieve only one certificate. Even better, when we link the RDS setting later we will not receive another cert.

    This sounds to be a workaround which is not because with later installed computer this wont work.

    We'll try the extended audit!

    Thanks!

    Friday, May 29, 2015 7:42 AM