The setup is this:
- Offline root CA, 2K3
- Policy/Issuing CA 1, 2K8 R2
- Policy/Issuing CA 2, 2K8 R2
- Windows XP SP3 client
I duplicated the Code Signing certificate on one of the 2K8 R2 CAs and was prompted to select the Windows Server version for the duplicate template; the choices were Windows Server 2003 or Windows Server 2008. As I had a 2K8 R2 CA, I opted for Windows Server 2008. I configured the certificate template for autoenrollment, securing the template against a global group called Template 1 and granting Read, Enroll and Autoenroll permissions. Try as I might, I could not get the certificate to automatically enroll for a member of Template 1 when they logged on. After adding a registry key so that autoenrollment messages were added to the event log, all I could see was Autoenrollment starting, followed by Autoenrollment finishing!
I repeated the process above duplicating the same template, but chose Windows Server 2003 instead of Windows Server 2008 at the prompt. Autoenrollment now works!
All I want to ask is 'Why?'
Is it because the root CA is 2K3, as I thought the prompt would refer only to the CA where the template existed?
Steve G
