none
Unable to enroll Computer certificates on Server 2008 R2 and older RRS feed

  • Question

  • I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still works.

    I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates I want are listed with:

    "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this operation, or the CA is not trusted."

    I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.

    Any ideas?

    Thank you!

    Saturday, December 27, 2014 12:45 AM

Answers

  • Hello everyone.

    This fix was on hold for a bit, mostly because I hadn't received a notice that there was a new reply.  When I checked a couple of weeks ago and found the latest info I started working on it again.

    I ended up building a brand new enterprise root CA to resolve this problem.  I don't know what happened, when, or why, but the new server is able to issue certificates to all clients as expected.  I'm currently rolling over all of our self-signed certificates to the new CA and root cert, and once that's done I'll be decommissioning the old CA per the guide above.

    Thank you for your input, especially to Amy.  I'd love to know why our old CA quit working but given some of our future initiatives it's more important that we have a working PKI, not necessarily that specific one.  And since we don't have too many things using certificates today it's not too hard to migrate.

    Thanks again!

    Alan

    • Marked as answer by CofI-Alan Thursday, April 2, 2015 12:29 AM
    Thursday, April 2, 2015 12:29 AM

All replies

  • What OS version is the CA and what version did you create the template as? If you created it as a V4 template, then the older machines like Windows 7 wont work, but newer systems will.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Saturday, December 27, 2014 6:56 AM
  • Hi,

    Do you have any progress?

    As Mark mentioned, please tell us the OS of the CA, and the domain/forest functional level, I may try to test this with the information above.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 29, 2014 7:56 AM
    Moderator
  • My apologies, I meant to include the server information in my original post.  It's a Server 2012 Datacenter system.  The domain and forest are both at the Server 2012 level and our DCs are Server 2012 Datacenter as well.  The template is Version 2 for backwards compatibility, since that function is clearly noted in the template setup dialog.

    Thanks!

    Alan

    Monday, December 29, 2014 4:38 PM
  • Hi Alan,

    I have set up a single domain forest with both forest functional level and domain functional level Windows Server 2012, the Domain Controller is a Windows Server 2012 R2 Standard machine, CA is a Windows Server 2012 Datacenter machine.

    So far, there is no issue requesting computer certificates on either Windows 7 or Windows 2008 R2.

    I will add Windows Server 2012 Datacenter as DC to test. In the meantime, would you check that if you duplicate other computer certificate templates, would it also fail that requesting certificates from Windows 7/Windows Server 2008 R2? In addition, what changes had been made before this issue occurred?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 7, 2015 11:40 AM
    Moderator
  • Hi Alan,

    I have added a Datacenter server as Domain Controller, then demoted the Windows Server Standalone DC, now I have a Windows Server 2012 Datacenter DC and a Windows Server 2012 Datacenter CA, the result is that there is no issue when requesting computer certificates from Windows 7 and Windows 2008 R2 machines.

    If the Certificate Template is compatible, please check permissions, make sure that Authenticated Users have Read and Enroll permissions.

    In addition, can you recall that which changes were made right before this issue happened?  

    Best Regards,

    Amy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 12, 2015 9:08 AM
    Moderator
  • Hi Amy.

    Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.

    I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.

    I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.

    We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012 on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.

    Alan

    Tuesday, January 13, 2015 2:05 AM
  • Hi Alan,

    Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.

    Before you start to clean up the existing PKI, please try to grant Authenticated Users the Enroll permission to see if it works. Since it is requesting computer certificates, computer rights/privileges should be evaluated.

    If it doesn’t work, and you want to decommission the existing CA, here is a related article for you:

    How to decommission a Windows enterprise certification authority and remove all related objects

    http://support.microsoft.com/kb/889250

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 13, 2015 2:18 AM
    Moderator
  • Hello everyone.

    This fix was on hold for a bit, mostly because I hadn't received a notice that there was a new reply.  When I checked a couple of weeks ago and found the latest info I started working on it again.

    I ended up building a brand new enterprise root CA to resolve this problem.  I don't know what happened, when, or why, but the new server is able to issue certificates to all clients as expected.  I'm currently rolling over all of our self-signed certificates to the new CA and root cert, and once that's done I'll be decommissioning the old CA per the guide above.

    Thank you for your input, especially to Amy.  I'd love to know why our old CA quit working but given some of our future initiatives it's more important that we have a working PKI, not necessarily that specific one.  And since we don't have too many things using certificates today it's not too hard to migrate.

    Thanks again!

    Alan

    • Marked as answer by CofI-Alan Thursday, April 2, 2015 12:29 AM
    Thursday, April 2, 2015 12:29 AM
  • I too am having this exact issue with the same symptoms. Migrated my CA from 2008 R2 to 2016. 2008 R2, 2008 and Windows 7 cannot get certificate, however 2012, 8 and 10 can. 

    I have a ticket open with microsoft however there is still no answer as to whats the problem.

    Thursday, November 3, 2016 6:44 PM
  • Have you checked what version your template is? Does it happen with the default Domain Controller Authentication template or is this a custom template?

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Thursday, November 3, 2016 10:00 PM
  • Happens with all templates. Built in or custom. They are version 1 and 2.
    Thursday, November 3, 2016 10:02 PM
  • Hi, a bit late here but I stumbled across this issue this week. My problem was that 2008r2 computer from a different domain (in the same forest) were not able to request certificate while 2012r2 server in theat same domain were working fine. The problem was that the CA public certificate was not published to the domain the server were in and 2008r2 server are not able to request a certificate from someone they don't trust. My solution was to publish the CA certificate via GPO to these computer and as soon as they had the CA in their trusted root autorities list all went fine requesting certificate that they had permission. This might help someone 1 day.
    • Proposed as answer by Cividan Monday, September 16, 2019 8:40 PM
    Monday, September 16, 2019 8:40 PM