Anyconnect SCEP Auto-enrollment Issue

Similar Messages

• Domain Controller Auto-Enrollment Issue

  I recently noticed one of our domain controllers is not auto enrolling its Domain Controller certificate with our AD CS server. 
  We have 2 DC's and one auto-enrolls just fine and the other one doesn't. The one that auto-enrolls fine is a Server 2008 R2 domain controller and the one that doesn't is a Server 2012 R2 domain controller (the schema has been updated to accommodate this
  domain controller). The CA is on the Server 2008 R2 DC (I noticed this issue as I am planning on migrating off the CA from the DC to its own dedicated DC). 
  I see three errors in the event log:
  Event ID 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
  Event ID 13: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from DC
  FQDN\CA Name (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Event ID 82: Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {61B8511A-9BFE-46A8-90D5-FB1709DADB2D} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Failed to enroll for template: DomainController
  In a packet capture, I am seeing this error: Expert Info (Note/Response): Fault: nca_s_fault_access_denied
  I did notice the "Certificate Service DCOM Access" group had no members, so I added the Authenticated Users group into it (I have a newly stood up development domain and notice Authenticated Users was in this group by default). Still not having
  any success. I tried stopping the CA service and starting it up after this group change and had no success either. I haven't rebooted any of the servers yet...didn't think I needed too. 
  I tried the "certutil -config - -ping" command and it found the proper CA and once I selected it, I was able to connect to the CA just fine and says its alive. 
  Not to sure where to look at from here as I am out of ideas. 

  Ok I got this working, but not sure what finally kicked it in.
  I followed this article first: http://support.microsoft.com/kb/947237 After performing what that article mentions, I still had the same errors.  It only mentions Vista, so didn't think it applied. Not entirely sure what the certutil
  -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG does. I think it added permissions to my DCOM COM Security for Access and Launch/Activation permissions? 
  Initially testing this, it failed with the same errors. After a few minutes, I tried again to see if the packet capture was showing the same authentication error, and it finally succeeded. 

• Auto enrollment issue - in AD user object certificate is missing

  In our environment , we are publishing User certificate and SMIME certificate through auto enrollment, both are been pushed through same Group policy. We identified that few of the user  (around 200+ users) AD object  is not having SMIME certificate
  but user certificate is available . In the Issuing CA and users local store we can able to find the certificate . We revoked 2 or 3 user certificate and when the user next logging in , the certificate has been successfully generated, we dont know what is causing
  the issue. Please help on this.
  We have checked the group policy its applying properly.
  We have checked few of the user machine and found that the error Eventid # 6 has been generated every 8 hours once. (Automatic server enrollment  failed. the specified server can not perform the requested operation)
  The working users and affected users all are part of same OU.

  Dear All,
  Thanks for your inputs. We found solution on this. we assume issue with attribute modification conflicts 
  We are having two different issuing CA in our environment and both are in same site, in the site is having 4 domain controller. 
  - We ran the network monitor in both the Issuing CA's and found the communication between Issuing CA and domain controllers for each user certificate  (success and failure also)
  - we can able to see there is difference between both the certificate generation is less than 8 seconds
  - The first (SMIME) certificate has been published in the AD object through Domain controller A and second certificate is reaching Domain controller B for publish the second (USER) certificate in few seconds.
  - When replication is happening between Domain controller A and Domain controller B, the highest version value is winning
  - We ran the command repadmin /showobjmeta "users distinguish name" for success user and failure user
  - found success users certificate version is 2 and failure user certificate version is 1.
  Solution: We are planning to make single Issuing CA for both certificate enrollment.
  Not sure what are the impacts on this

• Re-enrollment issue

  We are upgrading the clients to Windows 8.1 with SCCM 2012 and are experience a strange issue with users and computers certificates,
  the clients both consist of laptops, desktops and hybrids (Lenovo Tablet) and the only client that experiences this problems is the laptop.
  There active directory is running windows server 2003 as does the certificate authority with a two tier.
  When the client first deploys and goes through the task sequence they both get the certificates installed, user certificate and computer
  certificate.  However during and redeployment of the client were, I suspect, when an certificated already have been issued it can't reenroll once more, except when enforcing it with certutil –pulse in which the certificates gets installed.
  As the auto enrollment have worked fine with Windows XP clients, but also works with the desktops and hybrid I have no idée to fix this.
  I have looked through the certificate authority and controlled all the settings, but I don’t suspect the CA is the issue here since it can reenroll, just on other clients when they are redeployed.
  In the CA I can read this error in the event viewer; but the error doesn’t get any more specific.
  "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not
  have permission to request this type of certificate"
  Why this does only happened to laptops and not the desktops/hybrids? There is no difference between them either in AD or in CA, not
  in the task sequence either if someone interested in that, just different standard applications and drivers.
  Why does the command certutil -pulse work on the contrary to GPO?
   Is this issue even a problem that related to the certificate authority?

  I'm actually seeing the same issue here for my Windows 8.1 workstations. Until Windows 8 the autoenrollment policies have not been a problem. The client certificates are needed for the automatic client enrollment in System Center Configuration Manager. Until
  now I've checked if the group policies were applied well. Results of the get-certificateautoenrollmentpolicy are:
  PS C:\Users\administrator> Get-CertificateAutoEnrollmentPolicy -context machine -scope applied
  PolicyState                : Enabled
  EnableMyStoreManagement    : True
  EnableTemplateCheck        : True
  ExpirationPercentage       : 10
  StoreName                  : {MY}
  EnableBalloonNotifications : False
  So it looks like the policy is being applied.
  When rebooting or manually updating the policies with gpupdate no certificate is enrolled. When I use the certutil -pulse command however i receive a certificate without any problems. I've been testing with your suggestion to change the permissions
  on the template (giving authenticated users enroll permissions as well) but this doesn't change anything. 
  We're using a Server 2008 R2 CA
  Did you get any further with this?

• Mac Enrollment Issue on SCCM 2012 SP1

  Hi Guys,
  I am working on Mac enrollment(10.7) and facing issue during enrollment. Below is the error message when we try to run the enrollment command on Mac :
  “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error"
  Below are Log info:
  Enrollsrv.log : No error message is highlighted.
  Enrollweb.log:
  No error message is highlighted.
  Enrollservice.log:
  [7, PID:7304][10/28/2013 16:40:03] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
  ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [7, PID:7304][10/28/2013 16:40:03] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  [13, PID:7304][10/28/2013 17:11:01] :EnrollmentService application stop ...
  [3, PID:956][10/28/2013 17:45:37] :EnrollmentService application start ...
  [3, PID:956][10/28/2013 18:06:38] :EnrollmentService application stop ...
  [3, PID:4700][10/28/2013 18:45:39] :EnrollmentService application start ...
  [7, PID:4700][10/28/2013 19:06:40] :EnrollmentService application stop ...
  [3, PID:5872][10/28/2013 19:45:42] :EnrollmentService application start ...
  [13, PID:5872][10/28/2013 20:06:42] :EnrollmentService application stop ...
  Can someone shed info on resolution of the above issue?
  Also, is there any means by which we can troubleshoot the Mac enrollment issue step by step? Also what entries needs to be checked in all logs for successful enrollment?

  the following links may give you some hints:
  http://social.technet.microsoft.com/Forums/en-US/48bc7fcc-3d84-4042-abac-67f30d701121/mac-enrollment-issue?forum=configmanagerdeployment
  http://www.windows-noob.com/forums/index.php?/topic/7391-mac-enrollment-issue/

• Auto Goods Issue not taking place

  Hii All
  I hv Maintained backflush indictor in work center and in MRP2 view it is maintained as Workcenter
  decides whether to backfluch .
  But the auto goods issue is not taking place when the production order is saved and confirmed.
  The stock remains the same ..
  Can anybody tell the reason for that
  Regds
  Rakesh

  Hi Rakesh,
  what is the control key u have maintained in Routing?
  if u r using Control key PP01 - Routing/Ref. op. set - internal proc., then after Production Order confirmation u have to do MB31- Goods Receipt for Order, with movement type 101.
  If u r using PP03 Routing - in-house prod. auto. goods rct, then it accepts only single operation in a Routing (or) if u r having say more than one operations in a routing, then u have to give PP03 control key for the last operation.
  I think u got it...
  revert back if u have doubts.
  Thanks & Regards,
  Santosh

• Should I spend the $280.00 to have Canon fix my 70D auto-focusing issue?

  Should I spend the $280.00 to have Canon fix my 70D auto-focusing issue? Or just return back to my very much trusted Rebels?
  Solved!
  Go to Solution.

  MelekalsCanon wrote:
  Very much appreciate your taking time to send a response. As a new user I wasn't sure if anyone would bother. Allow me to add a little more to my first post. I fit in that niche between amateur and a person with clients. For over 10 years I have covered events for a non-profit agency capturing the look and feel of 20+ events per year and was given permission to purchase a few cameras over the year. My decision from the beginning was to use the Canon Rebel. Images were spot on and only once did I have an issue with one of them (after shooting outside events in 105 degree temps for 3 days).
  So, when I retired a year ago it was for me a pretty simple choice to get a Canon for myself - especially since at that time the 70D was on the cover of magazines and was very highly touted. I also did a lot of desktop publishing and photo editing which helped me realize I wanted the best sensor, sharpness, resolution and lens I could afford - the 70D. My post was actually a result of reading many online responses including your very informative replies about the 70D focusing issues. My biggest concern is that I will spend several hundred dollars and maybe, just maybe get back a camera which captures better focused images, but still not as sharp as the lower end Rebels I was using. I had hoped to purchase my first "L" lens and really get excited - not repair the most expensive camera I've bought to date.
  Thanks again and before it gets noted by someone...yes, I should have pushed this issue sooner and then at least the warranty would have covered the cost. An expensivve lesson learned. But I will have to add that at least one authorized Canon repair dealer told me they have had several folks feel like I did - that it was the photographer/me as a new user having the issue and not the camera. I now know it's my camera.
  Let me clarify that I don't own a 70D, so anything I say about it is from watching what others have said, mainly in this forum. But it is disconcerting to see so much complaint about a camera that's supposed to have an innovative focusing system. One is strongly tempted to suspect that they went overboard in trying to make the camera serve both still  photographers and videographers.
  That said, I'm not a great fan of the Rebel line, because they lack autofocus microadjustment and I have at least one otherwise excellent Canon lens that would be useless without it. (The 70D does have AFMA, a point in its favor.)
  As far as spending the $280 for the repair, I understand why it's a hard call. If I were in your shoes and were convinced that Canon understands the issue and would fix it correctly and permanently, I guess I'd go for it. If you don't think they do, but fell that you need something a cut above the Rebels, this may be a good time to buy a leftover or refurbished 7D. Even though I now have a 5D3, I still use my 7D's a fair amount and have been very happy with them. And the 7D2 has gotten such a favorable reception that's it's almost bound to make more 7D's available at a decent price.
  Bob
  Boston, Massachusetts USA

• Problems with auto-enroll with the certificate expiration

  Hello,
  we have routers that work with certificates. We have problems with the auto-enroll when the certificates go to expire.
  ?Can somebody help?
  I can send mor debug o configurations.
  We attach a debug.
  Very thanks

  Hello,
  I attach the debug.
  Very thanks

• Creating a security group for S/Mime cert auto-enrolment

  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?

  On Thu, 6 Feb 2014 19:20:37 +0000, Alen Williams wrote:
  We currently have auto-enrolment rights for an Exchange User cert granted to Domain Users. In our environment this is generating more than 50,000 failed requests each week by service accounts which don't have an email address.
  I would like to create a security group of users with an email address, and grant enrolment rights on the CA to that group.
  I have tried the following script to create such a group, however it's way too slow to be of any use (ours is a large enterprise):
  add-module activedirectoryGet-ADGroup -filter {name -eq "SMime Users"} | ForEach-Object {dsget group -members $_.distinguishedname | dsmod group $_.distinguishedname -rmmbr}Get-ADUser -filter {emailaddress -like "*"} | ForEach-Object {Add-ADGroupMember "SMime Users" -Members $_.SamAccountName}
  Any ideas on a way to bulk add users with an email address to a group? Or another way to achieve the same result?
  Although this group is going to be used for certificate enrollment this
  really isn't the right forum for your question. You should repost to either
  an Active Directory forum or to one dedicated to scripting or Powershell.
  Paul Adare - FIM CM MVP
  urbi et IP -- axelm in <mode=pope>

• Whether it is possible to make auto goods issue below safety stock level

  Hi SAP Gurus,
  I am implementing MRP for generating stock transfer Planned orders from a Main Mother Plant to different Plants. We have defined a Safety stock level for materials at main Plant level.
  There is a auto program available for generating auto goods issue against Purchase orders.
  System picks up Qty as long as unrestricted stock exists for the material during auto goods issue.
  System dont pick up any Qty below safety stock level (manual goods issue works below safety stock level).
  We are defining safety stock to meet sudden requirements and have time for new procurement.
  But it should allow us to do auto goods issue below safety stock level.
  Whether this is possible and what need to be done ?
  Thanks and Regards,
  R.Velmurugan.

  Hi Velmurugan,
  I don't think auto GR is a problem from safety stock. Auto Gr can be done by two ways.
  1. Control key and assigning the control key in operation(Preferably in last operation)
  2. In production scheduling profile you can do it. You have to assign the production scheduling profile in material master work scheduling view.
  Regards,
  Krishnendu.

• Do i have to have a superdrive to install auto enroll

  how do i install auto enroll without a superdrive?

  I do not know what auto enroll is. But if it is a program on a disk and your MBP has no disk drive , then you would need to copy if onto a usb drive from the disk using another mac with a disk drive and then install it. Otherwise you need it as a download.

• Does anyone know the difference between the Applecare Warranty for the Macbook Pro and the Applecare Protection Plan Auto Enroll 607-8192-B APP FOR MacBook

  Does anyone know the difference between the Applecare Warranty for the Macbook Pro and the Applecare Protection Plan Auto Enroll 607-8192-B APP FOR MacBook

  AFAIK, the difference is that the auto-enroll occurs automatically when you purchase the device and you will have to disburse the cost right there and then. Whereas the other comes in a box, can be purchased separately later and you must manually enroll your device into the system to activate the additional protection. This must occur before the base one year warranty is over.
  So, if you don't want to pay up at the moment you buy the computer, you can wait up to say 11 months and buy the AppleCare warranty extension later. Just be sure to complete the enrollment BEFORE the base warranty is over, else Apple will not honor the extension (all in the fine print). This applies to all devices that offer an AppleCare option: notebooks, desktops, iStuff, etc.

• Applecare Protection plan - Auto enroll ????

  I have a Brand New Applecare Protection Plan..
  It has 'APP FOR MAC - AUTO ENROLL ONLY' wrote on the underside of the packaging..
  What does this mean?
  Can i register this on a new Mac?

  it might mean you can only use it if your mac is fairly new. im not sure though

• AppleCare Auto Enroll Question

  I recently purchased a MacBook Pro and the AppleCare Protection Plan. On the box, the protection plan says it's an "auto enroll" type of plan. When I insert the disc, it asks me to register my AppleCare Protection Plan. When I go to register for the plan, it asks for an AppleCare Registration Number. I am then guided to the following website.
  http://support.apple.com/kb/HT1874?viewlocale=en_US
  The problem is no such page exists in my AppleCare Protection Plan booklet.

  Auto enroll on Apple care means you do not have an action to take on your part. You are automatically enrolled in Apple care if you purchase it at the same time as your computer. The box is just for info only. They track your warranty info by your computer's serial number so nothing to keep up with! If in doubt, you can check your product's warranty info here....
  https://selfsolve.apple.com/GetWarranty.do
  Congrats on the new computer!
  L

• Auto-Brightness Issue. It randomly worked, then stop working all together.

  Auto-Brightness Issue.
  It randomly worked before, now it's not giving off any brightness at all. Unfortunately it stopped coming on all together. I tried updating it Itunes and it comes back on but tried to restore my Ipod touch. After restoring it, it said "restore error -50" and the backlight STILL doesn't come on, not even a flicker. PLEASE HELP!!!

  Okay I tried to restore using iTunes and a little screen came up stating: An error occured while restoring this iPod (-50). I don't know what that means. It still ask do I want to continue to restore, but always gives me that same message. To make matters even worse, there is no Apple store in my town. The nearest is 3 hours away.