Deleted user Certificate enrollment requests

Similar Messages

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• Deleting user certificates

  I deployed a user certificate to a group of users with autoenroll for a product we were testing, we needed a slightly different user cert for another product and now users are getting prompted to pick a cert to use.  I disabled autoenroll for the
  first cert but is there a way to remove it from the users personal store on their computers?

  You should also be able to use the Supersede Template option, where you on the new Template specify the old one as superseded. Then the old ones will be deleted on the clients.
  http://technet.microsoft.com/en-us/library/cc753044.aspx
  Tom Aafloen, IT-security Consultant Onevinn AB

• No password prompt from ASA 5500 for certificate enrollment

  Greetings,
  I work in a lab testing interoperability between Avaya and Cisco VoIP products.
  I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
  going thru an ASA 5510 to a backend IP PBX. 
  Environment:  Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                       Cisco ASA 5510 running 9.0(1)
  I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
  Cisco ASA 5510.  Here are the commands that I use for the Cisco ASA 5510:
       crypto key generate rsa modulus 2048
       crypto ca trustpoint ASA5510-trust
           enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
           enrollment retry period 5
           enrollment retry count 3
           password Interop123
           exit
       crypto ca authenticate ASA5510-trust
       crypto ca enroll ASA5510-trust
  Everything works as expected until I try to enroll. There is no prompt for the
  enrollment password and the certificate request is denied.
  ciscoasa(config)# crypto ca enroll ASA5510-trust
  % Start certificate enrollment ..
  % The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
  % Include the device serial number in the subject name? [yes/no]: No
  Request certificate from CA? [yes/no]: yes
  % Certificate request sent to Certificate Authority
  ciscoasa(config)# The certificate enrollment request was denied by CA!
  Why isn't there a prompt for the enrollment password?
  BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
  Thanks,

  Richard,
  In the trustpoint config you have the challange defined.
  http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
  If this command is enabled, you will not be prompted for a password during certificate enrollment.
  Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
  M.

• Certificate enrollment web servce GPO enablement failure

  2012 Std R2
  Added certificate authority role with web services
  configuring via library hh831625
  I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP
  I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate
  Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:
  An error occurred while obtaining certificate enrollment policy
  URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP
  Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)
  Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights
  John Lenz

  Hi,
  Please try to do the following steps at first. Thanks.
  Configuring the CEP web address in the client
  Before I go into the steps it is important to understand that this configuration is based on the security context. You have a CEP configuration for the user, and you have another configuration for the computer. Depending on what certificates you plan on
  issuing (user or computer certificates) you may only require one of these to be configured.
  Configuring user certificate enrollment
  Run CertMgr.msc.
  Expand Certificates, then Current User.
  Expand Personal.
  Right click on Personal, and select All Tasks, then
  Advanced Operations, then Manage Enrollment Policies…
  On the Manage Enrollment Policies dialog click the Add… button. See Figure 12
  Type in the URI for the CEP service in the field. This will be in the format of:
  https://<Internet FQDN>/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  In my example this would be:
  https://cert-enroll.fabrikam.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  NOTE: the only thing that will be unique to your environment is the Internet FQDN of the URI.
  In the Authentication type drop down select: Username/password
  Click the Validate button.
  Once the Validate button is pressed, you will be prompted to type in a domain user name and password. Supply these credentials.
  If everything goes correctly you should see that the validation test passed in the lower section of the dialog box see Figure 13.
  NOTE: You can see in Figure 13 that the only difference is the DNS portion of this URI. If you scroll down further in the validation output, you will see the friendly name you added under the website configuration being displayed also.
  Click the Add button.
  Uncheck Enable for automatic enrollment and renewal.
  NOTE: Failure to do so could cause users to be prompted for user name and password each time they logon to the computer. This occurs because Windows Autoenrollment runs immediately after the user has logged on. If the enrollment policy is configured for automatic
  enrollment and renewal, Windows Autoenrollment will attempt to contact the configured CEP server when it starts in order to determine if new certificates have been assigned. Since this will result in the users being prompted for credentials every time they
  log on your users may be annoyed.
  Click the OK button.NOTE: Follow the same procedures to configure the Enrollment Policy server for the computer personal store if you need to enroll for computer certificates.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• CUP: Delete user certain time after request has been created

  Hi,
  Is it possible to define in CUP a delete account workflow that once the request has been created user deletion waits some time (i.e 1 month) before user is finally deleted? We would need a workflow without any approver.
  Delete User request creation >> 1 month >> User is deleted
  Thanks in advance. Best regards,
    Imanol

  Hi,
  Automatically deleting user IDs after a specific # of days is not possible in CUP. However, while creating the stage, you can define the wait time and then trigger the escalation. You can make the escalation to the Security Manager who can immediately take up the proper action, i.e., deleting the ID or making it inactive.
  Infact, this is the reason why it is recommended to have an alternative approver.
  Hope this addresses your question.
  Regards,
  Raghu

• Approval Request assigned to DELETED User

  Hi All,
  I have created an approval process with type "User" and "APPROVER" as user and then I have deleted this user in OIM. But still the approval request is getting assigned to this user "APPROVER".
  Is there way to assign this request to "SYSTEM ADMINISTRATOR" or user's manager or display a kind of error message in the "Approval Details" page.?
  Thanks & Regards
  INIYA

  Don knwo why it is going to Deleted User. It shouldn't go. If it is going then you can raise SR with Oracle.
  For your question, with custom Task Assignment Adapter you can assign it to System Administrator. If your Resource Object has some then you can make one more field with some Default Message.
  If Approver is deleted then you can update the form field with any message you want.

• Clean up user certificate in Lync Database for Deleted Account

  Hi all,
  I have a case in which several user accounts have been deleted from AD. And not like Exchange, deleted user from AD does not remove Lync data (i dont get it why they design it differently).
  From lync server, get-csusercertificate and get-csuser for those deleted account has no result as expected.
  But when i use dbanalyze /report:user for those deleted account, the user certificate is still there.
  I run Update-CsUserDatabase -Force -FQDn xyz.domain.local still the user certificates are there.
  How can i clean up those certificates instead of waiting them to be expired?
  Thanks!

  Thanks for the feedback.
  Surely because of this issue, we need remove certificate on clients, and do the "proper" way for further account deletion. 
  If anyone curious about this case, I suggest everyone using Lync Server spend some time to try this scenario:
  1. Create user on your AD (ie: [email protected] wait for replication or force it)
  2. Enable Lync account for that user 
  3. Logon to a PC with Lync Client (i used Lync Client 2013), logon using the
  [email protected] , DONT FORGET To Save Password - that's what user usually do. You may do chat, add contacts, etc.
  4. From Lync server, with command prompt, go to Lync ResKit directory, run the following command dbanalyze.exe /report:user /user:[email protected] /sqlserver:<FQDN of Lync Server>\RTCLocal.
  At the bottom of the report, there will be information about the invoked certificate with Device ID, Publication Time, and Expiration Time, and the certificate itself. There will be more than 1 certificate for test.user if you logon to another PC and save
  the password too.
  5. Now, from user PC, logoff from Lync Client. Logon to your AD, delete [email protected], wait for some time for replication. 
  6. Now go back to user PC, sign in with Lync Client. Amazingly you're still be able to sign in to Lync, do the chat, and everything, as long as you haven't delete the sign in info.
  7. For admin perspective, you may use Get-CsUser for the [email protected], or Get-CsUserCertificate or any Get-CS command, there will be no [email protected] on your Lync Server, but if you use
  dbanalyze, there will be a quite information about that user along with their certificate. <= This is the one i haven't figure any way to clean it up.
  8. Funny thing is, if you ever notice on your Lync Server, the normal user account who logon and logoff using IM client app, will be logged on Lync Server eventviewer (Windows Log - Security). But the
  [email protected] will not be logged on the eventviewer, therefore you won't know where they are login from (what PC), like a ghost account.
  I am expecting at least there is some kind of other ResKit to clean up this junk data from server database.

• NDES Certificate Enrollment on Surface fails

  Hi all
  I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
  http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
  If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
  https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
  (All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
  the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
  Any ideas/help or tips will be very appreciated.
  Cheers,
  +Mat

  All
  It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and  Settings. For an easier overview enclosed by component:
  CA
  I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
  Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
  WAP Proxy
  On the WAP Proxy the required Settings
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  Value: MaxFieldLength
  Type DWORD
  Data: 65534 (decimal)
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
  Value: MaxRequestBytes
  Type DWORD
  Data: 65534 (decimal)       
  were applied but the required December Update 2014 Hotfix
  http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
  NDES
  The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
  CRP
  At least one Server is properly configured
  Some Remarks
  Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
  Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
  The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
  2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
  Cheers,
  +mat

• Deploying user certificates to all users

  I need to deploy user certificates to all my employees. It will save me from sending them an email to load up mmc, click on certificates and then go down to user>personal and right click and request user certificate.
  I checked the user certificate permissions and domain users has enroll and read as allowed. There is no auto enroll. I then created a group policy under user configuration>Windows Settings> Security Settings>Public Key Policies.
  Under public key policies, I enabled the certificate services celient - certificate enrollment policy and checked the box for active directory enrollment. I then clicked on Certificate services client - auto enrollment and enabled it check the boxes to update
  certificates that use cert templates and renew expired certificates.
  Next I applied the GPO on the root of the domain using authenticated users for security group on the GPO so all users get it. Since I have pushed it, when I check all system using MMC> certificates no one has a user certificate. Can someone explain why
  this is not working?

  Hi,
  >>I am using windows server 2008 R2. Should I see an autoenroll permission for this user template?
  As far as I know, to enable autoenrollment, users should be granted Read, Enroll, and Autoenroll permissions.
  Regarding how to configure certificate enrollment, the following articles can be referred to as reference.
  Configure Certificate Autoenrollment
  http://technet.microsoft.com/en-us/library/cc731522.aspx
  Issuing Certificates Based on Certificate Templates
  http://technet.microsoft.com/en-us/library/Cc753452.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Certificate Authority User Certificate one time autoenrollment

  Hi Guys,
  I am implementing EAP-TLS NPS solution for WiFi network, and I have a requirement for non exportable user certificates to be issued for a user group. Is there a way to autoenroll users with a user certificate, and if it is compromised at some point, they
  would not be able to request another one, and only domain admin would be able to enroll them again? I am not an expert, i managed to create a non exportable user certificate template, and configure autoenrollment but i want it to be more secure lets say in
  a case when a laptop would be stolen while user is logged on, i need to revoke cert and i dont want user to be able to enroll again.
  I hope you understand my question,
  Please help
  Cheers
  VK

  Hi VK,
  To enable the auto enrollment, pleae refer to the link below:
  https://technet.microsoft.com/en-us/library/dd379539(v=ws.10).aspx
  >> they would not be able to request another one
  We can set the permission in the security of the certificate template.
  Here is the screenshot of my lab server:
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Unable to import the user certificate into the Oracle Wallet Manager

  Hi,
  I am configuring the External Authentication plugin using the password filters.
  i am using the version 10.1.0.5.0 version of Oracle Wallet manager
  inorder to do that i am enabling the SSL mode.
  to enable the SSL mode i followed the some steps in OWM and OCA admin and user console.
  when i approved a certificate as admin and importing to the Oracle Wallet Manager, i got an error that
  User Certificate Installation failed.
  Possible errors:
  - Input was not a valid certificate
  - No matching certificate request found
  - CA certificate needed for certificate chain not found.
  Please install it first
  can anyone help me how to resolve this problem.

  hi,
  thanks for your reply pramod
  I tried to import the two certificate files(rootca.crt and server.crt). but i am got the same error.
  what may be the problem.

• Deleted User recovery  in SAP R/3

  Hi :
  By mistakenly I have deleted user from the user list . After some time i came to know that , that user is productive user.
  Can any one help me for how to recover the user from deleted list.
  Thanks
  Chimsi

  Hi,
  I do not think that will be possible. You can recreate the same user-id though, and he/she shall be able to carry on (get the workflow items, inbox, transport requests and so on, of the earlier user-id).
  It maybe possible to search CDHDR and CDPOS tables to get some details of user deletion.
  cheers,

• I got My Apple Developer Program Enrollment Request but till now don't get any verification

  i wanna buy developer apple account  .I got My Apple Developer Program Enrollment Request before 6 days  but till now don't get any verification . so please help us ASAP .

  We are users like you. We have nothing to do with your enrollment. You need to go to the Online Store to formally purchase and pay for the membership.

• Auto certificate enrollment for computers not happening

  Hi
  In my environment the auto certificate enrollment for computers not happening through GPO.
  Domain computers has permission of enroll on computer certificate template.
  Please suggest.
  Regards,
  Deepak S

  Hi,
  Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
  Policy is configured correctly, the next step is to troubleshoot enrollment.
  Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
  outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
  The similar thread:
  Certificate Autoenrollment for Domain Computers GPO does not work
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.