|
Posted by Brian Komar [MVP] on September 3, 2006, 4:08 am
Please log in for more thread options
bowulf@gmail.com says...
> I am having difficulty setting up autoenrollment for computer
> certificates with Windows 2003 SP1 Enterprise Edition CA server. I
> have the GPO setup to perform autoenrollemtn and Automatic Certificate
> Request to request a computer certificate as specified in a number of
> documents. The end workstation or server upon boot or gpupdate
> responds with a Event ID 7:
>
> Automatic certificate enrollment for local system could not enroll for
> Computer certificate template due to one of the following:
> Enrollment access is not allowed to this template.
> Template subject name, signature, or hardware requirements cannot be
> met.
> No valid certificate authority can be found to issue this template.
>
> So it obviously seeing the autoenrollment policy. I checked the
> computer template under Certificate Templates on the CA, and Computer
> was indeed set to no for autoenrollment with no option to change that.
> I selected to enable a new template (Workstation), which was yes to
> autoenrollment, but it does not appear in the Automatic Certificate
> Request Wizard as a template to request.
>
> Any help would be appreciated.
>
>
You are confusing two different automated enrollment methods.
For version 1 certificate templates (such as computer), you would deploy
these using the Automatic Certificate request Settings GPO object.
ACRS cannot be used for version 2 certificate templates such as the
mentioned Workstation template.
For version 2 templates, you must do two things:
1) Enable the Autoenrollment Settings GPO (either for the computer or
user, depending on the target of the certificate)
2) Enable Read, Enroll, and Autoenroll permissions in the certificate
template.
For more details, see the autoenrollment whitepaper available at
http://technet2.microsoft.com/WindowsServer/en/library/615f1967-2866-
4304-9f7f-1fbe027601161033.mspx
Brian
| 
XML Sitemap