This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Server 2012 R2 - "Cross forest enrollment is not enabled"

Question
0

Sign in to vote

Hi,

I am trying to issue certificates into another forest, following the guides from Microsoft. I have a 2 way trust between my domains, and everything is running on Server 2012 R2 (and all the functional levels are 2012 R2 as well). However, the certificate requests get denied with the error "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled".

How do I enable it? According to all my research, it should be on by default (and you can't turn it off for that matter) in any version of 2012 R2 (using Standard).

Thanks,

Elizabeth.

Tuesday, May 3, 2016 9:35 PM

Answers

0

Sign in to vote
It is not on by default.

Please check this whitepaper for details:

https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

You probably have missed:

- LDAP referrals

- Publication of the CA certificates in the resource forest

- Inclusion of the issuing CA computer accounts in the Cert Publishers group

- Verification that the URLs in the CDP/AIA are accessible from the resource forest

- Permissions are configured to enable Read and Enroll permissions for groups in the Resource forest

Brian
- Proposed as answer by Steven_Lee0510 Thursday, May 5, 2016 5:52 AM
- Marked as answer by Steven_Lee0510 Tuesday, May 17, 2016 4:19 PM
Wednesday, May 4, 2016 3:50 AM