ADCS Installation (Part 13): How to enroll user certificates automatically?
hello everyone,
adcs installation offline root ca , online issuing ca servers working. have renewed web certificate on adcs default home page , re-configured htpps. can issue certificates via adcs default home page.
have applied gpo enroll computer certificates automatically via gpo. computer certificates enrolled automatically , evidences on online issuing ca server (certificates on ca console).
have created gpo set following policies:
user configuration/windows settings/security settings/public key policies/autoenrollment settings
enroll certificates automatically enabled.
renew expired certificates, update pending certificates, , remove revoked certificates enablled
update certificates use certificate templates enabled
user configuration/administrative templates/certificate services client
x.509 certificate , key roaming enabled default parameters 60, 2000, 65535
user certificates not enrolled automatically. user certificates have not been created on online issuing ca server.
have checked output of gpresult utility. output shows user certificate gpo has been applied part of user configuration.
why couldn't user certificate autoenrollment working?
thanks,
sjj123
adcs installation offline root ca , online issuing ca servers working. have renewed web certificate on adcs default home page , re-configured htpps. can issue certificates via adcs default home page.
have applied gpo enroll computer certificates automatically via gpo. computer certificates enrolled automatically , evidences on online issuing ca server (certificates on ca console).
have created gpo set following policies:
user configuration/windows settings/security settings/public key policies/autoenrollment settings
enroll certificates automatically enabled.
renew expired certificates, update pending certificates, , remove revoked certificates enablled
update certificates use certificate templates enabled
user configuration/administrative templates/certificate services client
x.509 certificate , key roaming enabled default parameters 60, 2000, 65535
user certificates not enrolled automatically. user certificates have not been created on online issuing ca server.
have checked output of gpresult utility. output shows user certificate gpo has been applied part of user configuration.
why couldn't user certificate autoenrollment working?
thanks,
sjj123
check:
1) certificate template permission enables read, enroll, , autoenroll permission user or global/universal group containing user
2) certificate template published @ ca
3) have waited time between publication , attempt autoenroll (to allow replication)
4) user account exists in ou gpo applied user autoenrollment
brian
1) certificate template permission enables read, enroll, , autoenroll permission user or global/universal group containing user
2) certificate template published @ ca
3) have waited time between publication , attempt autoenroll (to allow replication)
4) user account exists in ou gpo applied user autoenrollment
brian
Windows Server > Security
Comments
Post a Comment