none
Certificate Authority auto enrollment fails RRS feed

  • Pergunta

  • Hi,

    I am running Certificate Authority on the Windows Server 2019 standard.

    I have developed enrollment client for the device, which for manual enrollment works fine.

    I have Certificate authority configured and manual mode authentication works fine. I have enabled automatic enrollment using following links but auto enrollment fails. Request sent is sitting there in the "Pending Requests" section and Enrollment PENDING reply is sent to the device.

    Also, Permissions on the templates are granted for auto-enrollment and under issuance requirements CA certificate manager approval checkbox is unchecked. 

    used for configuration are:

    How_To/How_to_set_up_automatic_certificate_enrollment_in_Active_Directory

    certificate-auto-enrollment-using-group-policy-windows-server-2016-ca/

    Let me know if you need any additional data.

    Thanks in advance.

    quarta-feira, 24 de junho de 2020 11:29

Todas as Respostas

  • Hello,
    Thank you for posting in our TechNet forum.

    Based on "I have developed enrollment client for the device, which for manual enrollment works fine.", I understand we want to auto enroll certificate for domain machines (not for domain users), is that right?

    If so, we can try the steps as below:
    1.Create an OU and put the domain devices into this OU.
    2.Create a GPO and link it to the OU above.
    3.Edit the GPO, navigate to 
    Computer Configuration > Windows Settings > Security Settings > Public Key Policies and then under Object Type section in the right pane, select Certificate Services Client - Auto-Enrollment.

    4.Logon the domain device with domain administrator and open Certificates - local computer\Personal\Certificates containers you can see that there is no certificate and we can run gpupdate /force, then we will see such certificate. 

    If it does not work, please confim the following information:
    1.Are your devices Windows server devices (or Windows client devices) and they are in the domain?

    2.What certificate template have you configured?

    3.What is the SchemaVersion of your certificate template, if the SchemaVersion of your certificate template is 1, we should also configure Public Keys Policies\Automatic Certificate Request Settings\New > Automatic Certificate Request, click Next to skip the Welcome screen of the wizard. On the Certificates Templates page you can see some templates that you can use to issue certificates from. Select one certificate template we want and click Next and at the end click Finish to close the wizard.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quinta-feira, 25 de junho de 2020 06:41
    Moderador
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    terça-feira, 7 de julho de 2020 08:51
    Moderador
  • For which security group you enable autoenrollment on Certificate Template?
    terça-feira, 7 de julho de 2020 09:10
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 10 de julho de 2020 01:49
    Moderador