MAC OS X Certificate Enrollment

Similar Messages

• Auto certificate enrollment for computers not happening

  Hi
  In my environment the auto certificate enrollment for computers not happening through GPO.
  Domain computers has permission of enroll on computer certificate template.
  Please suggest.
  Regards,
  Deepak S

  Hi,
  Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
  Policy is configured correctly, the next step is to troubleshoot enrollment.
  Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
  outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
  The similar thread:
  Certificate Autoenrollment for Domain Computers GPO does not work
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• No password prompt from ASA 5500 for certificate enrollment

  Greetings,
  I work in a lab testing interoperability between Avaya and Cisco VoIP products.
  I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
  going thru an ASA 5510 to a backend IP PBX. 
  Environment:  Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                       Cisco ASA 5510 running 9.0(1)
  I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
  Cisco ASA 5510.  Here are the commands that I use for the Cisco ASA 5510:
       crypto key generate rsa modulus 2048
       crypto ca trustpoint ASA5510-trust
           enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
           enrollment retry period 5
           enrollment retry count 3
           password Interop123
           exit
       crypto ca authenticate ASA5510-trust
       crypto ca enroll ASA5510-trust
  Everything works as expected until I try to enroll. There is no prompt for the
  enrollment password and the certificate request is denied.
  ciscoasa(config)# crypto ca enroll ASA5510-trust
  % Start certificate enrollment ..
  % The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
  % Include the device serial number in the subject name? [yes/no]: No
  Request certificate from CA? [yes/no]: yes
  % Certificate request sent to Certificate Authority
  ciscoasa(config)# The certificate enrollment request was denied by CA!
  Why isn't there a prompt for the enrollment password?
  BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
  Thanks,

  Richard,
  In the trustpoint config you have the challange defined.
  http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
  If this command is enabled, you will not be prompted for a password during certificate enrollment.
  Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
  M.

• NDES Certificate Enrollment on Surface fails

  Hi all
  I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
  http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
  If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
  https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
  (All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
  the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
  Any ideas/help or tips will be very appreciated.
  Cheers,
  +Mat

  All
  It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and  Settings. For an easier overview enclosed by component:
  CA
  I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
  Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
  WAP Proxy
  On the WAP Proxy the required Settings
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  Value: MaxFieldLength
  Type DWORD
  Data: 65534 (decimal)
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
  Value: MaxRequestBytes
  Type DWORD
  Data: 65534 (decimal)       
  were applied but the required December Update 2014 Hotfix
  http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
  NDES
  The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
  CRP
  At least one Server is properly configured
  Some Remarks
  Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
  Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
  The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
  2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
  Cheers,
  +mat

• Certificate Enroll Errors RPC Server Is Unavailable

  I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
  Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
  first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
  on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
  Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
  Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
  would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
  like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
  a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
  certs to our domain machinese and domain controllers.
  Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

  Hello,
  the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  SO there is no need for multiple root CAs.
  To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• Deleted user Certificate enrollment requests

     We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted  a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
  on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
  it from authenticating?
  Server 2008r2 domain.
  Certificate enrollment for *******\Temp_admin successfully load policy from policy server 
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99069</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerID" />
    </EventData>
   </Event>
  Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99068</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
    </EventData>
    </Event>

  Temp_admin is deleted from the domain
  sid2username output: Error evaluating user name. Some or all identity references could not be translated. 
  Tested with Known accounts and they work so Temp account can not be found.
  First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
  deleted as soon as she left the building. 
  This user was still listed under user profiles in the registry with that sid. 
  I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though. 

• Certificate enrollment web servce GPO enablement failure

  2012 Std R2
  Added certificate authority role with web services
  configuring via library hh831625
  I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP
  I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate
  Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:
  An error occurred while obtaining certificate enrollment policy
  URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP
  Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)
  Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights
  John Lenz

  Hi,
  Please try to do the following steps at first. Thanks.
  Configuring the CEP web address in the client
  Before I go into the steps it is important to understand that this configuration is based on the security context. You have a CEP configuration for the user, and you have another configuration for the computer. Depending on what certificates you plan on
  issuing (user or computer certificates) you may only require one of these to be configured.
  Configuring user certificate enrollment
  Run CertMgr.msc.
  Expand Certificates, then Current User.
  Expand Personal.
  Right click on Personal, and select All Tasks, then
  Advanced Operations, then Manage Enrollment Policies…
  On the Manage Enrollment Policies dialog click the Add… button. See Figure 12
  Type in the URI for the CEP service in the field. This will be in the format of:
  https://<Internet FQDN>/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  In my example this would be:
  https://cert-enroll.fabrikam.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  NOTE: the only thing that will be unique to your environment is the Internet FQDN of the URI.
  In the Authentication type drop down select: Username/password
  Click the Validate button.
  Once the Validate button is pressed, you will be prompted to type in a domain user name and password. Supply these credentials.
  If everything goes correctly you should see that the validation test passed in the lower section of the dialog box see Figure 13.
  NOTE: You can see in Figure 13 that the only difference is the DNS portion of this URI. If you scroll down further in the validation output, you will see the friendly name you added under the website configuration being displayed also.
  Click the Add button.
  Uncheck Enable for automatic enrollment and renewal.
  NOTE: Failure to do so could cause users to be prompted for user name and password each time they logon to the computer. This occurs because Windows Autoenrollment runs immediately after the user has logged on. If the enrollment policy is configured for automatic
  enrollment and renewal, Windows Autoenrollment will attempt to contact the configured CEP server when it starts in order to determine if new certificates have been assigned. Since this will result in the users being prompted for credentials every time they
  log on your users may be annoyed.
  Click the OK button.NOTE: Follow the same procedures to configure the Enrollment Policy server for the computer personal store if you need to enroll for computer certificates.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Certificate enrollment via SunPKCS11

  Hi, my question is whether certificate enrollment is possible via the SunPKCS11 provider.
  Generating a key pair is possible and easy by using the standard KeyPairGenerator also implemented by SunPKCS11.
  Generating a PKCS10 certificate request is also possible and easy, although it entails using the sun.security package.
  At this point, one would assume that the worst is over, as the last required operation is installing the certificate received from the certification authority. Alas, the SunPKCS11 provider seems to prevent such a basic operation.
  The setCertificateEntry() method implemented by the SunPKCS11 provider, via the P11KeyStore class, just refuses to install a normal end-entity certificate -- and this is documented! Absolutely nonsensical.
  Can anyone provide hints / suggestions to overcome this frustrating problem?

  Hi,
  Have you found the solution for this problem? I also having the same problem with you. The more strange thing for me is that I can't even use the P11KeyStore though I can find this class in sunpkcs11.jar. Please advice. I am meeting my deadline right now.
  Thanks.

• ASA Local CA certificate enrollment invitation

  Hi,
  I have been looking for the answer for a while.....
  My ASA is version 8.2.1
  I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.
  After I create a user and email OTP, you get the E-mail like below.
  (The following example is found at http://www.cisco.com/japanese/warp/public/3/jp/service/manual_j/sec/asa/caclcg4/chapter39/12172_01_39.shtml)
  Date: 12/22/06
  To: [email protected]
  From: Wuseradmin
  Subject: Certificate Enrollment Invitation
  You have been granted access to enroll for a certificate.
  The credentials below can be used to obtain your certificate.
  Username: [email protected]
  One-time Password: C93BBB733CD80C74
  Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
  NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
  Please visit the following site to obtain your certificate:
  https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
  You may be asked to verify the fingerprint/thumbprint of the CA certificate
  during installation of the certificates. The fingerprint/thumbprint should be:
  MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
  SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
  My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.
  I though it is from hostname of ASA, so I changed hostname of ASA.
  However the URL did not change.
  Any comment would be greately appricated.
  Thanks,
  Taro

  Hello Taro,
  Agree with Atri,
  I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
  As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
  Give it a try and let us know,
  I think you can only remove the CA config with
  clear config crypto ca server’
  So be careful,
  Regards
  Julio

• MAC OS X Certificates question in SCCM 2012 R2

  We recently switched our SCCM environment over to HTTPS/PKI and everything has been working well.  We were now wanting to include MAC's into our environment for some asset reporting.  But we recently started to notice some errors on teh enrollment
  server.  If we re-image a MAC, and re-enroll it to SCCM it creates another record and cert I believe.  So what I was doing was deleting the old record which seemed like not a big deal till we started getting the errors below.
  Our MAC clients are not bound by to AD by the way either.
  Failed to revoke Certificate on CA: ******\DUQCA1 with serial number: 1*******00000000573F. Check CA permission.
  ICertAdmin2 RevokeCertificate failed: Access is denied.
  Do we need to make the user able to revoke the permissions also?  I did not see this in the step by step from Microsoft.  What would best practice be?

  Hi,
  As far as I know, there is no other way except manually deleting them.
  In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• ADCS certificate enrollment error with RPC

  I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients.  I've been using the following document, with no success (http://support.apple.com/kb/HT5357).  The enrollment is being attempted from a mobileconfig generated from an OS X server.  The payload is limited to only ADCertificatePayload to limit how much to troubleshoot.  We are also limiting the enrollment to a single Issuing CA to limit where to look for communication.  I greatly appreciate any assistance you can provide.
  This is the ManagedClient.log from /Library/Logs:
  +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
  Sep  3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
      computerID = AppleWorkID;
      domainName = "FQDN.com";
      name = domainname;
      subject = "/CN=AppleWorkID.FQDN.com";
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
  Sep  3 13:44:21[562:1]:+Using RPC authn_level: 6
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name:  host/IssuingCA.FQDN.com
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
  Sep  3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
  Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
  Sep  3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
  Sep  3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
  Sep  3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
  Sep  3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
  Sep  3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
  The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
  General: Both display name and template name = "AppleWorkstation"
  Compatability-> CA: Windows Server 2008 R2
  Compatability->Certificate recipient: Windows 7 / Server 2008r2
  Request Handling->Purpose:Signature and Encryption
  Cryptography->Algorthim name:RSA
  Cryptography->Minimum key size:2048
  Cryptography->Request hash:SHA256
  Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
  Subject Name->Build from this Active Directory information: Subject name format: common name
  Subject Name: Only UPN is checked
  The schema version of the template is 3 and the version of the template is 100.43
  Both computers are joined to the Active Directory 2008 r2 domain.  Certificate services exist within the site on their own dedicated servers.  The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's. 

  Hi Alexander,
  But by group should work by desing or did I get something wrong
  I am not sure that I understand this query correctly, I’ll just put it this way, feel free to correct me if I misunderstood:
  Access control assignment on a group will grant corresponding permissions to all members within it, it’s called inherited permissions.
  If there is a direct access control entry which assigns permissions to
  single security principle belonging to the group, then the direct permissions take precedence, it’s called explicit permissions.
  Well, if a security principle belongs to two/multiple groups, and each group gets conflicting permissions, then the more
  restricted (deny or not allow) ones take precedence. This rule goes the same with explicit permissions, more restricted ones have higher precedence.
  In addition, here are some scripting forums below for you if there are any scripting requirements:
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Windows PowerShell Forum
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
  MSDN Forums
  https://social.msdn.microsoft.com/Forums/en-US/home
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• UAG Certificate Enrollment Error, Logon Failure.

  Hi All,
  I have been configuring UAG with the help of TLG provided online. On one machine I have to enroll
  IP-HTTPS listener certificate. For that i have followed following steps.
  Run > mmc > files > Add/Remove snap-in > certificate
  on the new window I select computer account then next
  then Local Computer Then Finish.
  Now, Right Click on the details Pane All Tasks > Request New Certificate > AD Enrollment policy
  Now After Clicking Next I am getting Error 
  Enrollment Error
  Logon Failure : Unkown Username or Bad Password.
  Recently I have change only this system's password (System Name UAG2SERVER)
  Can anyone please help.

  Hi,
  have you created a rule in the TMG console to allow all traffic to your CA? Otherwise the cert enrollment will fail.
  I don not understand what you mean with that you have changed the system password. Are you logged in with an domain account?
  regards,
  Lutz

• Certificate Enrollment Problem

   I have a Windows Server 2008 Enterprise Root CA with a different Windows 2008 Server running the Cert Enrollment website (ussing SSL).  Any certificate that I attempt to request (Vista or XP) results in:
  ============================================
  Your request failed. An error occurred while the server was processing your request.
  Contact your administrator for further assistance.
  Request Mode:
  newreq - New Request
  Disposition:
  (never set)
  Disposition message:
  (none)
  Result:
  The RPC server is unavailable. 0x800706ba (WIN32: 1722)
  COM Error Info:
  CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
  LastStatus:
  The operation completed successfully. 0x0 (WIN32: 0)
  Suggested Cause:
  This error can occur if the Certification Authority Service has not been started.
  =================================
  The Windows Firewall is off between the web enrollment server and the CA, but only 443 is open in to the web enrollment server from externally.
  What am I missing here?  This is rapidly becoming a showstopper.
  Thanks,
  BH

  I'm having a slightly related problem.  I have Certificate Services running on a Windows 2008 Enterprise Edition 64-bit.  I installed it as a Enterprise subordinate CA, using a certificate from the original enterprise CA.  It is set up as  I am trying to enroll a certificate on another computer.  When I use "Automatically Enroll and Retrieve Certificates",  I see the certificate I want.  However, when I try to enroll it I get the following error:
  The RPC server is unavailable.
  The certificate rquest could not be submitted to teh certificate authority
  There are no firewalls between the certificate authority and I tried using the certutil ping command as stated above and I got an 'is alive' reply from the CA.
  Any idea what my hang up could be?

• Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

  I have a lot of background on this question so bear with me please. :)
  I am tasked with getting our domain from 2003 to 2008 level. In order to do that I brought up a 2008 R2 server into the domain and did dcpromo to get it to "play" with the two other 2003 DCs. All is working pretty well except that I'm getting the auto-enrollment
  error above not because of a configuration error but because before I even came to work here the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists! I'm sure I'll have to re-setup
  a Root CA but wanted some guidance on the path to take on getting from where I am (broke!) to back to healthy!
  thanks in advance,
  Leo

  Hi Vadims,
  I do have exactly the same problem as described above. The Root CA no longer exist and the certificates are about to expire, however I have checked the expiration date of the certificate using certmgr in the AD servers (Three server cluster) and I have found
  different expiring dates for the same certificate as described bellow. 
  Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Active directory User Object > CONTOSO-CA (exp 17/05/2014)
  We currently have an AD cluster conformed by three Windows server 2008 and no currently Certificate Authority role installed on any of them. 
  I also have seen using certmgr that all machines in the company have the certificate CONTOSO-CA in the following way:
  Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)
  Active directory User Object > Not present
  My question is, can I safely decommission the certificate following the procedure stated above (step 6)? what will be the impact of this certificate (Active directory user object) expiring?
  Thanks in advance
  Cesar