Server 2012 R2 - "Cross forest enrollment is not enabled" RRS feed

  • Question

  • Hi,

    I am trying to issue certificates into another forest, following the guides from Microsoft. I have a 2 way trust between my domains, and everything is running on Server 2012 R2 (and all the functional levels are 2012 R2 as well). However, the certificate requests get denied with the error "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled".

    How do I enable it? According to all my research, it should be on by default (and you can't turn it off for that matter) in any version of 2012 R2 (using Standard).



    Tuesday, May 3, 2016 9:35 PM


  • It is not on by default.

    Please check this whitepaper for details:


    You probably have missed:

    - LDAP referrals

    - Publication of the CA certificates in the resource forest

    - Inclusion of the issuing CA computer accounts in the Cert Publishers group

    - Verification that the URLs in the CDP/AIA are accessible from the resource forest

    - Permissions are configured to enable Read and Enroll permissions for groups in the Resource forest


    Wednesday, May 4, 2016 3:50 AM