Hello,
I am having issues with certificate auto enrollment for clients.
My CA is on Windows Server 2008 R2 and is a domain controller also.
Clients are Windows 7.
The Certificate Authority is an Enterprise CA and has been migrated from another server (windows 2000 or 2003)
in the past.
1.
Group Policy configured and is applying OK.
2.
CAs are listed in AD OK.
3.
Security Permissions are OK on the certificate templates and set to auto enrol.
4.
DCom Communication tests from the client to server work OK.
5.
No errors are logged in the client when a auto enrolment is run. Ie certutil –pulse
So here’s what I have to go on:
1.
If I run “automatically enrol and retrieve certificates” from the certificates mmc on the client, it comes back that “certificate types are not
available” if I tick the show all templates I can see all the templates but their status is unavailable.
The Auto enrol templates also have:
“The requested template is not supported by this CA”
“A valid certificate authority (CA) configured to issue the certificates based on this template cannot be located, or the CA does not support this operation, or the CA is
not trusted.”
2.
If I run the certutil –template I can see I have security to read, enrol and autoenrol.
3.
If I run the certutil –adtemplate I get for example “User: User –Auto-Enroll: Access is denied”
4.
All the certificate templates
that appear as “certificate unavailable” from the certificate mmc are version 2 certificates. All the certificate templates that appear OK are version 1 templates.
However I cannot create a new version 1 template by duplicating an existing one.
This issue looks similar to this but not windows vista and not the same error messages:
http://support.microsoft.com/kb/947237
