question

ChrisButlerHoward-7728 avatar image
0 Votes"
ChrisButlerHoward-7728 asked HannahXiong-MSFT commented

Server 2008 NPS certificates - alternative to PKI auto-enrol

I've reached the conclusion that Server 2008 doesn't support auto-enrol of certificates for NPS using PKI infrastructure. We receive this error: The requested certificate template is not supported by this CA.

I realise my options are and should be to upgrade this server to something close to a recent OS but since I've inherited this infrastructure and the plan is to replace it in the next few months, I want to get NPS up and running for wireless authentication for domain computers urgently.

Can someone answer whether using a certificate from an authority such as GoDaddy or VeriSign would make this work? Or is it a case that auto-enrol just won't work at all on Server 2008 and it isn't just PKI?

If an external CA will work, can anyone direct me to some decent documentation for getting this up and running?

Thanks,

Chris

windows-server-securitywindows-server-infrastructure
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

If the reply is helpful, we would appreciate you to accept it as answer.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello,

Thank you so much for posting here.

So sorry that we do not have Server 2008 in my test environment, so we could not do the test. Since we configured the auto-enrollment, could other server get the certificate?

As for the error: The requested certificate template is not supported by this CA, we could refer to the below article to check whether it helps.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template

Besides, we are not professional with the external CA, so sorry that we could not provided any information. It is suggested that we could contact the external CA to get more professional assistance.

Thank you so much for your understanding and support.


Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

We receive this error: The requested certificate template is not supported by this CA.

this error indicates that there is no CA in forest that has requested template assigned. You have to go to CA, navigate Certificate Templates node and add requested template for issuance.

As of Windows Server 2008: only Enterprise and Datacenter editions support V2 and newer templates. For Standard edition, you can use Automatic Certificate Request GPO option that allows computer certificate autoenrollment using V1 templates.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisButlerHoward-7728 avatar image
0 Votes"
ChrisButlerHoward-7728 answered ChrisButlerHoward-7728 commented

Hi both,

Thanks for your replies.

@HannahXiong-MSFT - I have come across numerous articles and posts referencing these permissions and the template has Authenticated Users with Read access so I've ruled this out as the issue.

@Crypt32 - I'll investigate the GPO option you suggest and see how I get on. The template is already added for issuance but I believe the error is being returned because it can only use the V1 template which doesn't allow auto-enrollment (by my understanding).

Thanks

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Crypt32 - I've actually already configured the auto-enrol via GPO so this doesn't work either, returning that error in the Failed Requests section of AD CS.

50497-image.png


0 Votes 0 ·
image.png (24.0 KiB)

And just to add further to this, the certificate that I've issued is shown below along with the certificate name in the error message:

50478-image.png

50479-image.png


0 Votes 0 ·
image.png (4.3 KiB)
image.png (3.0 KiB)
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello Chris,

Thank you so much for your kindly reply.

As for the error message, "The problem is caused because no certificate template was selected or inside the GUI the friendly template name rather the short name (which didnt include spaces) was used.

Solution: Create a new certificate request via the Lync deployment GUI using the correct short template name and re-submit that to the Microsoft CA."

Reference: https://www.admin-enclave.com/en/articles/skypeforbusiness/164-resolved-denied-by-policy-module-0x80094800-when-creating-a-lync-ssl-certificate.html

Also please make sure the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder).

50528-1.png

Below is the discussion about this issue, we could kindly have a check whether it helps.
https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity

At the same time, I would like to share with you some documents about Certificates Used with NPS. Hope they could be helpful.

Manage Certificates Used with NPS
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates

Configure Certificate Templates for PEAP and EAP Requirements
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (36.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisButlerHoward-7728 avatar image
0 Votes"
ChrisButlerHoward-7728 answered Crypt32 commented

Hi Hannah,

I have come across those articles as well and deleted the original certificate template then recreated it with no spaces, then issued that certificate template which is now failing. Screenshot below showing no spaces:

50625-image.png

I have also reviewed the MS documentation you sent and confirmed everything is as MS say it should be. I've searched Google extensively to find a solution so fairly confident I've read most hits that match the error we've got and the only conclusion I reached was where someone said this would not work on Server 2008 Standard edition - autoenroll for V2 or V3 templates does not work:

https://social.technet.microsoft.com/Forums/office/en-US/1da6be70-10b7-4d56-8ace-b51d67c93848/the-requested-certificate-template-is-not-supported-by-this-ca-windows-2008-standard-edition?forum=winserversecurity

Windows Server 2008 standard edition can only issue certificates based on Version 1 certificate templates. To use autoenrollment, you need to issue V2 or V3 certificate templates. This is blocked by the OS>

You must do one of the following:

1) Upgrade the server to Windows Server 2008 Enterprise or Data Center

2) Upgrade the server to Windows Server 2008 R2 Standard, Enterprise, or Data Center

3) Upgrade the server to Windows Server 2012 Standard or Data Center


image.png (8.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is exactly what I said -- no autoenrollment for 2008 Standard edition. And I would discourage the use of non-supported OS.

0 Votes 0 ·