locked
User certificates not auto enroling RRS feed

  • Question

  • Help!  I'm really pulling my hair out with this one.

    I have duplicated the user template on my CA and added an AD user group with the autoenrol permission.  This template has been published and I have a group policy added to my users OU which enables certifcate auto enrolment.

    When a test user logs in, I open up the local certificate user store and see nothing in the personal folder?

    Machine certificates seem ok, it's only the user ones which aren't working.  If I right-click and request new certificate, the certificate comes up and I can install it ok.

    It's just auto enrolment not working.  I've read the Microsoft guides, and all it says is to add the user group to the template with the permissions and set a group policy.  I've done all that, so there must be something else I need to do.

    Thanks!!

    Friday, July 24, 2020 8:16 AM

All replies

  • Hello,

    Thank you for posting in our TechNet forum.

    To configure user certificate autoenrollment, we could refer to the below official guide: 
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129699(v=ws.11)

    As per this guide, this configuration will be under Default Domain Policy. We could kindly have a recheck.

    For any question, please feel free to contact us.

    This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.


    Friday, July 24, 2020 8:53 AM
  • Yes, I can confirm that gpo is in place
    Friday, July 24, 2020 9:27 AM
  • Take a look for your GPO with autoenrollment. Are you sure thap policy really has been apllied? 

    Verify it via RSOP or GP Result.

    Friday, July 24, 2020 9:28 AM
  • Yes, the default domain policy has applied

    My machine has the registry key AEPolicy set to 7

    Running this command works fine certreq -enroll -user -q NameofTemplate
    Friday, July 24, 2020 10:15 AM
  • Take a look at "Event Viewer -> App -> MS -> Win -> CertificateServices-Deployment" on any host with logged user.

    And on CA -> Failed Request. Any issues have you discovered?

    Friday, July 24, 2020 12:39 PM
  • No failed requests on the CA

    I don't have CertificateServices-Deployment under event viewer

    Friday, July 24, 2020 12:43 PM
  • Hello,

    Thank you so much for your feedback.

    I did the test in my lab, and below are the steps.

    1, I have duplicated the user template on my CA and set the autoenroll permissions as shown below. Besides, as for the configuration of the template, I did not check the E-mail name since I did not configure the E-mail for the user.




    2, Then issue this certificate template. 



    3, Configure the GPO for User Certificate Autoenrollment as shown below. 




    4, Log on the client with the user account, and then check the certificate store. Under the personal folder, there is certificate as shown below. 


    We could kindly have a recheck of the process. For any question, please feel free to contact us.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 28, 2020 7:01 AM
  • Hello,

    Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 30, 2020 6:50 AM
  • Check out "include this info in SAN" - for instance e-mail is included and if user doesn't have this attribute then autoenrollment (generate certificate) will be failed in this case. 
    Thursday, July 30, 2020 7:31 AM
  • Thanks everyone,

    I have already done everything in this thread.  The user is in the AD group, that group has autoenrol permission, the GPO is set correctly and being applied.  I've tried removing the email address from the certificate template even though they have an email address.  Machine certs work ok, just not user ones.  Nothing in the event logs, no failed certs in the CA.

    Sunday, August 2, 2020 9:06 AM
  • Hello,

    You are welcome. Thank you so much for your feedback.

    Have we checked whether we could manually enroll for a certificate for the user in the MMC Certificate Snap-in? 



    Please follow the detail steps to troubleshoot Autoenrollment:
    https://docs.microsoft.com/en-us/archive/blogs/xdot509/troubleshooting-autoenrollment

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 3, 2020 6:01 AM
  • Yes, manual works fine as does running this command certreq -enroll -user -q NameofTemplate
    Monday, August 3, 2020 7:41 AM
  • Hello,

    Thank you so much for your feedback.

    AD user group should have Read, Enroll and Auto Enroll permissions on the certificate template. Do we also add the Read and Enroll permissions? 

    Have we checked this provided document to troubleshoot? 
    https://docs.microsoft.com/en-us/archive/blogs/xdot509/troubleshooting-autoenrollment

    Here we would like to share with you more information about certificate autoenrollment. Hope it could be of some help to you.
    https://social.technet.microsoft.com/wiki/contents/articles/38085.certificate-autoenrollment.aspx

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 4, 2020 7:48 AM
  • Hello,

    Thank you so much for your time.

    Welcome to share your current situation if there is any update. We hope the issue could be resolved soon. Thanks so much.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 6, 2020 3:08 AM
  • Still having the same issue.  I know you said the template requires read and enroll as well, but considering the certreq command works, I assumed you would know that was already set.

    There must be something else I need to do in order to make it work.

    Thursday, August 6, 2020 10:18 AM
  • Hello,

    Thank you so much for your feedback.

    As mentioned, there must be something else we need to do in order to make it work. Hope we could figure it out soon. 

    Besides, "Directory Services" forum will be migrating to a new home on Microsoft Q&A! If we still need any further assistance, we could create a new thread in Microsoft Q&A platform. Then we could continue discuss this issue there. And others could also share their experience or knowledge there.

    Thank you so much for your understanding and support.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 7, 2020 7:10 AM