ASA Certificate Enrollment Invitation

Similar Messages

• ASA Local CA certificate enrollment invitation

  Hi,
  I have been looking for the answer for a while.....
  My ASA is version 8.2.1
  I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.
  After I create a user and email OTP, you get the E-mail like below.
  (The following example is found at http://www.cisco.com/japanese/warp/public/3/jp/service/manual_j/sec/asa/caclcg4/chapter39/12172_01_39.shtml)
  Date: 12/22/06
  To: [email protected]
  From: Wuseradmin
  Subject: Certificate Enrollment Invitation
  You have been granted access to enroll for a certificate.
  The credentials below can be used to obtain your certificate.
  Username: [email protected]
  One-time Password: C93BBB733CD80C74
  Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
  NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
  Please visit the following site to obtain your certificate:
  https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
  You may be asked to verify the fingerprint/thumbprint of the CA certificate
  during installation of the certificates. The fingerprint/thumbprint should be:
  MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
  SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
  My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.
  I though it is from hostname of ASA, so I changed hostname of ASA.
  However the URL did not change.
  Any comment would be greately appricated.
  Thanks,
  Taro

  Hello Taro,
  Agree with Atri,
  I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
  As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
  Give it a try and let us know,
  I think you can only remove the CA config with
  clear config crypto ca server’
  So be careful,
  Regards
  Julio

• No password prompt from ASA 5500 for certificate enrollment

  Greetings,
  I work in a lab testing interoperability between Avaya and Cisco VoIP products.
  I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
  going thru an ASA 5510 to a backend IP PBX. 
  Environment:  Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                       Cisco ASA 5510 running 9.0(1)
  I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
  Cisco ASA 5510.  Here are the commands that I use for the Cisco ASA 5510:
       crypto key generate rsa modulus 2048
       crypto ca trustpoint ASA5510-trust
           enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
           enrollment retry period 5
           enrollment retry count 3
           password Interop123
           exit
       crypto ca authenticate ASA5510-trust
       crypto ca enroll ASA5510-trust
  Everything works as expected until I try to enroll. There is no prompt for the
  enrollment password and the certificate request is denied.
  ciscoasa(config)# crypto ca enroll ASA5510-trust
  % Start certificate enrollment ..
  % The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
  % Include the device serial number in the subject name? [yes/no]: No
  Request certificate from CA? [yes/no]: yes
  % Certificate request sent to Certificate Authority
  ciscoasa(config)# The certificate enrollment request was denied by CA!
  Why isn't there a prompt for the enrollment password?
  BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
  Thanks,

  Richard,
  In the trustpoint config you have the challange defined.
  http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
  If this command is enabled, you will not be prompted for a password during certificate enrollment.
  Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
  M.

• Auto certificate enrollment for computers not happening

  Hi
  In my environment the auto certificate enrollment for computers not happening through GPO.
  Domain computers has permission of enroll on computer certificate template.
  Please suggest.
  Regards,
  Deepak S

  Hi,
  Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
  Policy is configured correctly, the next step is to troubleshoot enrollment.
  Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
  outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
  The similar thread:
  Certificate Autoenrollment for Domain Computers GPO does not work
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• NDES Certificate Enrollment on Surface fails

  Hi all
  I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
  http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
  If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
  https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
  (All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
  the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
  Any ideas/help or tips will be very appreciated.
  Cheers,
  +Mat

  All
  It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and  Settings. For an easier overview enclosed by component:
  CA
  I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
  Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
  WAP Proxy
  On the WAP Proxy the required Settings
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  Value: MaxFieldLength
  Type DWORD
  Data: 65534 (decimal)
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
  Value: MaxRequestBytes
  Type DWORD
  Data: 65534 (decimal)       
  were applied but the required December Update 2014 Hotfix
  http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
  NDES
  The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
  CRP
  At least one Server is properly configured
  Some Remarks
  Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
  Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
  The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
  2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
  Cheers,
  +mat

• MAC OS X Certificate Enrollment

  I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
  Thank you.
  MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

  The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• Certificate Enroll Errors RPC Server Is Unavailable

  I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
  Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
  first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
  on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
  Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
  Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
  would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
  like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
  a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
  certs to our domain machinese and domain controllers.
  Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

  Hello,
  the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  SO there is no need for multiple root CAs.
  To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• Deleted user Certificate enrollment requests

     We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted  a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
  on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
  it from authenticating?
  Server 2008r2 domain.
  Certificate enrollment for *******\Temp_admin successfully load policy from policy server 
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99069</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerID" />
    </EventData>
   </Event>
  Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99068</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
    </EventData>
    </Event>

  Temp_admin is deleted from the domain
  sid2username output: Error evaluating user name. Some or all identity references could not be translated. 
  Tested with Known accounts and they work so Temp account can not be found.
  First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
  deleted as soon as she left the building. 
  This user was still listed under user profiles in the registry with that sid. 
  I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though. 

• Certificate enrollment web servce GPO enablement failure

  2012 Std R2
  Added certificate authority role with web services
  configuring via library hh831625
  I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP
  I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate
  Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:
  An error occurred while obtaining certificate enrollment policy
  URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP
  Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)
  Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights
  John Lenz

  Hi,
  Please try to do the following steps at first. Thanks.
  Configuring the CEP web address in the client
  Before I go into the steps it is important to understand that this configuration is based on the security context. You have a CEP configuration for the user, and you have another configuration for the computer. Depending on what certificates you plan on
  issuing (user or computer certificates) you may only require one of these to be configured.
  Configuring user certificate enrollment
  Run CertMgr.msc.
  Expand Certificates, then Current User.
  Expand Personal.
  Right click on Personal, and select All Tasks, then
  Advanced Operations, then Manage Enrollment Policies…
  On the Manage Enrollment Policies dialog click the Add… button. See Figure 12
  Type in the URI for the CEP service in the field. This will be in the format of:
  https://<Internet FQDN>/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  In my example this would be:
  https://cert-enroll.fabrikam.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  NOTE: the only thing that will be unique to your environment is the Internet FQDN of the URI.
  In the Authentication type drop down select: Username/password
  Click the Validate button.
  Once the Validate button is pressed, you will be prompted to type in a domain user name and password. Supply these credentials.
  If everything goes correctly you should see that the validation test passed in the lower section of the dialog box see Figure 13.
  NOTE: You can see in Figure 13 that the only difference is the DNS portion of this URI. If you scroll down further in the validation output, you will see the friendly name you added under the website configuration being displayed also.
  Click the Add button.
  Uncheck Enable for automatic enrollment and renewal.
  NOTE: Failure to do so could cause users to be prompted for user name and password each time they logon to the computer. This occurs because Windows Autoenrollment runs immediately after the user has logged on. If the enrollment policy is configured for automatic
  enrollment and renewal, Windows Autoenrollment will attempt to contact the configured CEP server when it starts in order to determine if new certificates have been assigned. Since this will result in the users being prompted for credentials every time they
  log on your users may be annoyed.
  Click the OK button.NOTE: Follow the same procedures to configure the Enrollment Policy server for the computer personal store if you need to enroll for computer certificates.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Certificate enrollment via SunPKCS11

  Hi, my question is whether certificate enrollment is possible via the SunPKCS11 provider.
  Generating a key pair is possible and easy by using the standard KeyPairGenerator also implemented by SunPKCS11.
  Generating a PKCS10 certificate request is also possible and easy, although it entails using the sun.security package.
  At this point, one would assume that the worst is over, as the last required operation is installing the certificate received from the certification authority. Alas, the SunPKCS11 provider seems to prevent such a basic operation.
  The setCertificateEntry() method implemented by the SunPKCS11 provider, via the P11KeyStore class, just refuses to install a normal end-entity certificate -- and this is documented! Absolutely nonsensical.
  Can anyone provide hints / suggestions to overcome this frustrating problem?

  Hi,
  Have you found the solution for this problem? I also having the same problem with you. The more strange thing for me is that I can't even use the P11KeyStore though I can find this class in sunpkcs11.jar. Please advice. I am meeting my deadline right now.
  Thanks.

• ASA // certificate-handling (trustpoints)

  Hi!
  I have a  question regarding certificate-handling in the ASA (for example for  using it for AnyConnect).
  I'm not talking of the internal CA  here, just about handling certificates coming from an external CA.
  If  you configure a trustpoint on the ASA - can the trustpoint itself  contain i whole hierarchy of certificates? For example, one  root-CA-certificate, one intermediate-CA-certificate, and one  certificate for the ASA itself, where the ASA holds the private key,  too?
  For me it would be logical, but I can't do it. I always have  to configure a separate trustpoint for each level - in this case two:  One for the certificate of the root-CA, the second for the  intermediate-CA. The second than also holds the certificate of the ASA  itself.
  Is this really the "right" way to do it? I get everything  to work (validation and stuff) when using the second way, but I'm  confused because of the command "crypto ca certificate chain  <trustpoint>", which for me indicates that it should indeed be  possible to have a complete chain of certificates, a complete hierarchy  so to speak, associated to this trustpoint.
  The documentation  didn't help me out here.
  Thanks for clarification.
  Florian

  I will just add  another snippet of information, to make even more clear what I mean.
  This  is the configuration of my lab-ASA. It holds 3 (three!) trustpoints,  which basically are all from the same CA (it's the free startssl.com  CA).
  startssl.com-root is the trustpoint holding the  root-certificate. startssl.com-client is one intermediate CA of  startssl.com. It issues certificates for clients (for instance, I have a  WebVPN-User having such a certificate, who authenticates with this  certificate successfully against the ASA). startssl.com-server is  another intermediate CA, this CA issues certificates for webservers. My  ASA has it's own certificate (for WebVPN) issued from this CA, holding  the private key for it.
  crypto ca trustpoint startssl.com-root
  enrollment terminal
  crl configure
  crypto ca trustpoint  startssl.com-client
  revocation-check crl
  enrollment terminal
  crl configure
  crypto ca trustpoint startssl.com-server
  enrollment terminal
  crl configure
  crypto ca certificate chain  startssl.com-root
  certificate ca 01
  [hex-output omitted]
  quit
  crypto ca certificate chain startssl.com-client
  certificate ca 0d
  [hex-output omitted]
  quit
  crypto ca  certificate chain startssl.com-server
  certificate ca 0a
  [hex-output omitted]
  quit
  certificate 017a56
  [hex-output  omitted] (this is the certificate of the ASA itself)
  quit
  For  me it would make more sense to have ONE trustpoint (startssl.com),  which holds the complete chain of root, the two intermediate CAs, and my  own certificate.
  Regards,
  Florian

• How to configure AnyConnect/ASA/Certificate/MS CA together

  Hello
  We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
  Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
  users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
  I am struggling to get all those peace of puzzle togehter so i can work on solution.
  I would appreciate if someone will give me some ideas how this whole scenario will work.
  Thank you.

  Anyone from experts out there? I am sure someone heave doen this before.

• ADCS certificate enrollment error with RPC

  I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients.  I've been using the following document, with no success (http://support.apple.com/kb/HT5357).  The enrollment is being attempted from a mobileconfig generated from an OS X server.  The payload is limited to only ADCertificatePayload to limit how much to troubleshoot.  We are also limiting the enrollment to a single Issuing CA to limit where to look for communication.  I greatly appreciate any assistance you can provide.
  This is the ManagedClient.log from /Library/Logs:
  +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
      computerID = AppleWorkID;
      domainName = "FQDN.com";
      name = domainname;
      subject = "/CN=AppleWorkID.FQDN.com";
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
  Sep  3 13:44:21[562:1]:+Using RPC authn_level: 6
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name:  host/IssuingCA.FQDN.com
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
  Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
  Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
  Sep  3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
  Sep  3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
  Sep  3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
  The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
  General: Both display name and template name = "AppleWorkstation"
  Compatability-> CA: Windows Server 2008 R2
  Compatability->Certificate recipient: Windows 7 / Server 2008r2
  Request Handling->Purpose:Signature and Encryption
  Cryptography->Algorthim name:RSA
  Cryptography->Minimum key size:2048
  Cryptography->Request hash:SHA256
  Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
  Subject Name->Build from this Active Directory information: Subject name format: common name
  Subject Name: Only UPN is checked
  The schema version of the template is 3 and the version of the template is 100.43
  Both computers are joined to the Active Directory 2008 r2 domain.  Certificate services exist within the site on their own dedicated servers.  The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's. 

  Hi Alexander,
  But by group should work by desing or did I get something wrong
  I am not sure that I understand this query correctly, I’ll just put it this way, feel free to correct me if I misunderstood:
  Access control assignment on a group will grant corresponding permissions to all members within it, it’s called inherited permissions.
  If there is a direct access control entry which assigns permissions to
  single security principle belonging to the group, then the direct permissions take precedence, it’s called explicit permissions.
  Well, if a security principle belongs to two/multiple groups, and each group gets conflicting permissions, then the more
  restricted (deny or not allow) ones take precedence. This rule goes the same with explicit permissions, more restricted ones have higher precedence.
  In addition, here are some scripting forums below for you if there are any scripting requirements:
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Windows PowerShell Forum
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
  MSDN Forums
  https://social.msdn.microsoft.com/Forums/en-US/home
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• UAG Certificate Enrollment Error, Logon Failure.

  Hi All,
  I have been configuring UAG with the help of TLG provided online. On one machine I have to enroll
  IP-HTTPS listener certificate. For that i have followed following steps.
  Run > mmc > files > Add/Remove snap-in > certificate
  on the new window I select computer account then next
  then Local Computer Then Finish.
  Now, Right Click on the details Pane All Tasks > Request New Certificate > AD Enrollment policy
  Now After Clicking Next I am getting Error 
  Enrollment Error
  Logon Failure : Unkown Username or Bad Password.
  Recently I have change only this system's password (System Name UAG2SERVER)
  Can anyone please help.

  Hi,
  have you created a rule in the TMG console to allow all traffic to your CA? Otherwise the cert enrollment will fail.
  I don not understand what you mean with that you have changed the system password. Are you logged in with an domain account?
  regards,
  Lutz