Auto certificate enrollment for computers not happening

Similar Messages

• Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

  I have a lot of background on this question so bear with me please. :)
  I am tasked with getting our domain from 2003 to 2008 level. In order to do that I brought up a 2008 R2 server into the domain and did dcpromo to get it to "play" with the two other 2003 DCs. All is working pretty well except that I'm getting the auto-enrollment
  error above not because of a configuration error but because before I even came to work here the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists! I'm sure I'll have to re-setup
  a Root CA but wanted some guidance on the path to take on getting from where I am (broke!) to back to healthy!
  thanks in advance,
  Leo

  Hi Vadims,
  I do have exactly the same problem as described above. The Root CA no longer exist and the certificates are about to expire, however I have checked the expiration date of the certificate using certmgr in the AD servers (Three server cluster) and I have found
  different expiring dates for the same certificate as described bellow. 
  Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Active directory User Object > CONTOSO-CA (exp 17/05/2014)
  We currently have an AD cluster conformed by three Windows server 2008 and no currently Certificate Authority role installed on any of them. 
  I also have seen using certmgr that all machines in the company have the certificate CONTOSO-CA in the following way:
  Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Active directory User Object > Not present
  My question is, can I safely decommission the certificate following the procedure stated above (step 6)? what will be the impact of this certificate (Active directory user object) expiring?
  Thanks in advance
  Cesar

• Native Mode for Computers not on the domain (Workgroup)

  We recently converted our environment to PKI (HTTPS) and everything has been working great for our domain bound machines.  Now in our environment we have a couple machines that are not on the domain, "workgroup computers".  Does anyone
  have a best practice to getting these devices connected?  I have read various things on certain blogs but it seems everyone is doing it different.
  I would also like to have the Workgroup cert installed via the task sequence so when the techs are installing things or just having the computer off the domain it is still communicating with SCCM.  Then when the computer is joined to the domain it uses
  the certs from group policy, and vice versa when a computer is removed from the domain it would revert to the workgroup certs.
  Also do you have to create a cert for each workgroup computer?  I would like to do it the easiest way possible since we have a seperate group who does the CA Authority certs and would rather not have to bug them for every workgroup machine.

  Let's start with the last question, yes every workgroup computer needs its own certificate.
  About your initial question, depending on the number of workgroup computers it might indeed be beneficial to automate the certificate request via, for example PowerShell. An example can be found here:
  https://jasonhjones.wordpress.com/2014/10/28/powershell-and-certificate-requests/
  The complete manual process can be found here (it's written for ConfigMgr 2007, but the process is still very similar except for the client installation parameters):
  http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Prompt for filename - not happening

  I am running Windows 7 & AA8. Every time I print to PDF the file is automatically saved to "My Documents" with the default file name. On my previous machine (Windows XP) I was prompted for the filename and save location. I cannot find the setting to make this possilbe again. When I open the printing preferences in windows - the setting " Adobe PDF Folder;" is blank or "LPT1" and I cannot change this. I click the "Browse" button but nothing happens....

  It sounds like the Adobe PDF printer is not being recognized. As for Win7 and AA8, I have only heard of one report that it works in the 64-bit version and there were no details. My guess is that you are running the 64-bit version. You might be successful if you selected 32-bit compatibility or whatever it is for the AcroTray.exe file. If that file is not active, then it would be reasonable that the port would be something different. If you check the printer port in the properties, is there an Adobe PDF port. The normal setting is Port: Documents\*.pdf with the Adobe PDF printer.
  If you can not set the port to Documents\*.pdf, you might just try setting the port to File. Then you should at least be able to print to file and then open the file in Distiller to get the PDF. An extra step, but should do the job.

• CRM 6.0 ERMS auto acknowledge rules for exception not working

  I have set up a number of exceptions in our Send Auto Acknowledgement rule but the exceptions are never caught.
  An auto acknowledge email is sent in response to emails containing the text defined in the rule for Subject or Sender
  I have been unable to find anything regarding what text or format is acceptable - are spaces allowed.  Even my test for English failed and I received a auto acknowledgment to my Japanese email....
  Any ideas?
  If
  E-Mail Subject Does Not Contain "undeliverable" or
  E-Mail Subject Does Not Contain "E-mail past processing deadline" or
  E-Mail Subject Does Not Contain "Out of Office" or
  E-Mail Subject Does Not Contain "Delivery Status Notification" or
  E-Mail Sender Does Not Contain "postmaster" or
  E-Mail Sender Does Not Contain "mailer-daemon" or
  E-Mail Sender Does Not Contain "microsoftexchange" or
  E-Mail Sender Does Not Contain "ironport" or
  E-Mail Sender Does Not Contain "311" or
  E-Mail Language Is Not Equal To English or
  E-Mail Subject Does Not Contain "Delivery failure notification" or
  Then
  Send Auto Acknowledgement ( Mail Form = 311 Auto Reply; Outgoing E-Mail Address = "defined email address had to be removed"; Create Interaction Record = No; Create Service Order = No )

  Donna,
  I really think the issue is the "or" operator should be "and".  When using DOES NOT CONTAIN you need "and" for all condition checks.
  There is a select "All/Match Any"  on the Conditions Menu that is used to toggle the Match "and" or "or".
  Hope this solves your problem.
  Donna O'Neill

• Certificat​es set at $20 but received an auto certificat​e for $5

  I have my rewards points set up where it's suppsoed to issue me my certifcate for $20 after I get 1000 points but it automatically used my points to redeem a $5 certificate when I do no want the $5 certificate because I am saving my points for the $20 certificate for a future purchase. I've had my preferences set to the $20 for quite sometime now, over a month so there's no reason why it should have done this. How do I cancel the coupon and get my 250 points back on to my account?

  Good morning Ecential, and welcome to the forum,
  I used the email address you registered with the forum to review your My Best Buy account, and I do see that your certificate preference is currently set at $20.  Based on your preference, a certificate should not be automatically issued until you at least have 1000 points.  I would like to go over your account with you in greater detail, so I will be sending you a private message.  To check your private messages, are going to want to login into the forum and click on the envelope icon at the top of the page.
  Thank you for posting!
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• Sharepoint server synch for Tracker not happening since upgrade to Acrobat 9 Pro

  Hi,
  I have a user that is unable to share his comments and see updates in Tracker using Acrobat 9 Pro.  There is a warning on Server status that says "some workflows are in error."  It seems that synchronization is with the server is failing, though his connection to the network is otherwise solid.  User can go to the server and go to the folder and open the PDF folder without any issues, but synchronization with server within Acrobat 9 Pro Tracker is failing.  He can join reviews, but is unable to see other reivewers comments and can not see any of the other 8 reviewers listed, he can only see himself and the initiator.
  I did verify that the initator and all reviewers are also using Acrobat 9 Pro.  Only this one reviewer is having issues, everyone else is ok.
  The issue started to happen after user was upgraded to Acrobat 9 Pro. We did try a repair in add\remove programs, but this did not help.  I am wondering if there is anything on the backend, somewhere that needs to be changed.  User did go into a few other Shared Reviews on the Sharepoint server and was able to see 5 reviewers.
  Here are my questions:
  1. Is there some sort of unique identifier that needs to be changed?
  2. Can the initiator delete this one reviewer and then add him back, and would that possibly solve the issue?
  Thanks,
  Julie

  Hi Damir,
  On the page mentioned above you need to click on 'Buy Now' at the right hand side as shown in the screenshot below :
  After that you will see this screen :
  Click on 'Subscription' drop-down and select 'Upgrade', The other dropdown menus will be updated accordingly and you need to select 'I own' as 'Acrobat 9 Pro,
  Platform and Language accordingky.
  Then you can 'Add to cart' and checkout.
  Regards,
  Rave

• Licensing for computers - not user specific?

  We have a lot of freelancers that work on our projects in our editing suites.
  We have purchased enough CC Cloud licenses to cover each physical computer.
  Since we have more editors than computers it is not ideal to bind a license to specific people.
  Is there a way to bind the licenses to each computer, or install the licenses as a "first come - first serve" on a floating license server or something?
  All help is appreciated.

  Ask about a DEVICE license instead of an Adobe ID license
  Adobe contact information - http://helpx.adobe.com/contact.html

• ADCS problem with enroll certificates for computers.

  Hi All,
  There are PKI infrastructure:
  1 standalone root CA (Win 2008 Std, workgroup, offline)
  2 enterprise issuing CA (Win 2008 Ent, DC role, NPS role)
  In AD all root\issue CA certs is available, crl is available, Enterprise PKI console show OK status for all components,  etc.
  It seems work and right config.
  But there is one problem.
  PCs and DCs in domain cannot request computer cert from both CA.
  Manual enroll through mmc fails on domain members/domain controllers with error
      Source: CertificateServicesClient-CertEnroll
      Event ID: 13
      Certificate enrollment for Local system failed to enroll for a Workstation/Domain Controller certificate from ....(name of CA).... (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
      Autoenroll through GP/Manual enroll through Web-enrollment also failed.
  But!!! User enroll cert without problem. At least through mmc console i can enroll user cert.
  Plz help somebody. I crash my mind with problem. )))
  Thanks all.

   
  Hi,
  Please add the following groups to the Certificate Service DCOM Access group:
  ·         Domain Users group
  ·         Domain Controllers group
  ·         Domain Computers group
  In addition, make sure that the Certificate Service DCOM Access group has Local/Remote Activation permission as well.
  And then, update the DCOM security settings for the certificate service by running the following commands at a command prompt:
  certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
  net stop certsvc
  net start certsvc
  Note: Press Enter after each command.

• Certificate Enroll Errors RPC Server Is Unavailable

  I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
  Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
  first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
  on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
  Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
  Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
  would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
  like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
  a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
  certs to our domain machinese and domain controllers.
  Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

  Hello,
  the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  SO there is no need for multiple root CAs.
  To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Deleted user Certificate enrollment requests

     We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted  a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
  on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
  it from authenticating?
  Server 2008r2 domain.
  Certificate enrollment for *******\Temp_admin successfully load policy from policy server 
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99069</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerID" />
    </EventData>
   </Event>
  Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99068</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
    </EventData>
    </Event>

  Temp_admin is deleted from the domain
  sid2username output: Error evaluating user name. Some or all identity references could not be translated. 
  Tested with Known accounts and they work so Temp account can not be found.
  First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
  deleted as soon as she left the building. 
  This user was still listed under user profiles in the registry with that sid. 
  I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though. 

• The enrollment server did not provision a valid identity certificate

  I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).
  The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).
  I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.
  A side note - using a preexisting MDM vendor is not an option here.
  Below is the profile I'm using:
  <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
          <dict>
            <key>PayloadContent</key>
            <array>
              <dict>
                <key>PayloadContent</key>
                <dict>
                  <key>Challenge</key>
                  <string>this is a challenge</string>
                  <key>Key Type</key>
                  <string>RSA</string>
                  <key>Key Usage</key>
                  <integer>5</integer>
                  <key>Keysize</key>
                  <integer>1024</integer>
                  <key>Name</key>
                  <string>mycompany</string>
                  <key>Retries</key>
                  <integer>3</integer>
                  <key>RetryDelay</key>
                  <integer>0</integer>
                  <key>Subject</key>
                  <array><array><array>
                    <string>CN</string>
                    <string>mycompany</string>
                  </array></array></array>
                  <key>URL</key>
                  <string>https://mysite.com/scep.aspx</string>
                </dict>
                <key>PayloadDescription</key>
                <string>Configures SCEP</string>
                <key>PayloadDisplayName</key>
                <string>SCEP (mycompany)</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.scep1</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.security.scep</string>
                <key>PayloadUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
              </dict>
              <dict>
                <key>AccessRights</key>
                <integer>3</integer>
                <key>CheckInURL</key>
                <string>mysite.com/checkin.aspx</string>
                <key>CheckOutWhenRemoved</key>
                <false/>
                <key>IdentityCertificateUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadDescription</key>
                <string>Configures MobileDeviceManagement.</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.mdm2</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.mdm</string>
                <key>PayloadUUID</key>
                <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>ServerURL</key>
                <string>https://mysite.com/checkin.aspx</string>
                <key>SignMessage</key>
                <false/>
                <key>Topic</key>
                <string>com.apple.mgmt.mypushsubject</string>
                <key>UseDevelopmentAPNS</key>
                <true/>
              </dict>
            </array>
            <key>PayloadDescription</key>
            <string>Profile description.</string>
            <key>PayloadDisplayName</key>
            <string>Test Profile</string>
            <key>PayloadIdentifier</key>
            <string>com.mycompany.mdm</string>
            <key>PayloadOrganization</key>
            <string>mycompany</string>
            <key>PayloadRemovalDisallowed</key>
            <false/>
            <key>PayloadType</key>
            <string>Configuration</string>
            <key>PayloadUUID</key>
            <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
          </dict>
        </plist>

  I got in touch with Apple about this.
  Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment.  According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

• Sorry but I think this wrong, I know that in Colombia there and two of the three operators already have 4G/LTE networks, what happens is that the iPhone should be expected to send the update software for computers that have this tercnologia activate them,

  sorry but I think this wrong, I know that in Colombia there and two of the three operators already have 4G/LTE networks, what happens is that the iPhone should be expected to send the update software for computers that have this tercnologia activate them, that my Iphone or receiving 5 supports 4G LTE,
  Thank you for your attention

  Apple needs to test the carrier if they offer LTE as expected.
  If your country/carrier is not on the list then there's no LTE on your iPhone.
  http://www.apple.com/iphone/LTE/
  It's between the your carrier and Apple. There's nothing you can do except feedback to Apple:
  http://www.apple.com/feedback/iphone.html

• No password prompt from ASA 5500 for certificate enrollment

  Greetings,
  I work in a lab testing interoperability between Avaya and Cisco VoIP products.
  I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
  going thru an ASA 5510 to a backend IP PBX. 
  Environment:  Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                       Cisco ASA 5510 running 9.0(1)
  I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
  Cisco ASA 5510.  Here are the commands that I use for the Cisco ASA 5510:
       crypto key generate rsa modulus 2048
       crypto ca trustpoint ASA5510-trust
           enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
           enrollment retry period 5
           enrollment retry count 3
           password Interop123
           exit
       crypto ca authenticate ASA5510-trust
       crypto ca enroll ASA5510-trust
  Everything works as expected until I try to enroll. There is no prompt for the
  enrollment password and the certificate request is denied.
  ciscoasa(config)# crypto ca enroll ASA5510-trust
  % Start certificate enrollment ..
  % The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
  % Include the device serial number in the subject name? [yes/no]: No
  Request certificate from CA? [yes/no]: yes
  % Certificate request sent to Certificate Authority
  ciscoasa(config)# The certificate enrollment request was denied by CA!
  Why isn't there a prompt for the enrollment password?
  BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
  Thanks,

  Richard,
  In the trustpoint config you have the challange defined.
  http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
  If this command is enabled, you will not be prompted for a password during certificate enrollment.
  Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
  M.

• AUTO TO not happening

  hi experts.
  we r in is retail,fallowing auto del & auto transfer order (picking) to delivery.
  issue: if order create in r3 auto TO happening,but order flown from CRM to r3 'TO' not happening that meens in this case WMTA out put type not determinig in delivery header when order flown from CRM to R3.
  pls can any body give solution& what is the configuration to auto TO?
  advance thanks
  reddy

  Hi,
  The processing of output type WMTA triggers the creation of Transfer Order.
  U can initiate thru output control in outbound delivery. Sys determines output type WMTA at HEADER level of outbound del. is created .
  The combination Del type / Shippin pt or Del. type is responsible for determining output type in std sys.
  Thank you.