question

BahramMaleki-9659 avatar image
0 Votes"
BahramMaleki-9659 asked DaisyZhou-MSFT answered

No certificates meet the application criteria

Hello,

I deployed Enrollment Agent to be able to request certificate on behalf another users. It was working before but now when I request on-behalf I get following error message:
No certificates meet the application criteria.

any thoughts?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BahramMaleki-9659,

Thank you for posting here.

I have done a test in my lab.

Configure "Enrollment Agent" certificate template.

1.Duplicate an "Enrollment Agent" certificate template, and give "domain users" group "Read" and "Enroll" permissions.

Certificate template display name is Enrollment Agent-1.
91145-cer2.png

2.Issue this certificate template.
91146-cer3.png

Daisy 11 requests certificate using certificate template named "Enrollment Agent-1".

3.Logon one client using domain user named daisy11.

4.Request certificate using certificate template named "Enrollment Agent-1" in user store.
91147-cer4.png

Daisy11 is able to request certificate on behalf another user.

5.After that Daisy11 is able to request certificate on behalf another user (B\yu).
91000-cer5.png

91148-cer6.png

Because daisy11 has two certificates issued by "Enrollment Agent" certificate template, so it will prompt me to select one.
91135-cer7.png

6.Select one certificate template for domain user (B\yu).
91149-cer8.png

7.Selcet the user name(B\yu).
91136-cer9.png

8.Daisy11 now request certificate for B\yu successfully.
91150-cer10.png

91171-cer22.png


From the error message, it seems there is no corresponding Enrollment Agent certificate in this current logged on user Store.

So please check:
1.Check if this current logged on user Personal Store has installed Enrollment Agent certificate using Enrollment Agent certificate template? If so, ensure this cert is not expired.
91105-cer11.png

2.Check if this current logged on user Personal Store has installed Enrollment Agent certificate using Enrollment Agent certificate template? If there is no such certificate or such certificate has expired, this logged on user can request Enrollment Agent certificate using Enrollment Agent certificate template again, then request certs on behalf another users.

3.Find which user has already requested Enrollment Agent certificate using Enrollment Agent certificate template now. You can use the user account with Enrollment Agent certificate in his/her Personal Store to request certs on behalf another users.

Similar case.
Certificate services - request client certificates on behalf of another user?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef1e7953-0e41-4465-becc-74305e18b32b/certificate-services-request-client-certificates-on-behalf-of-another-user?forum=winserversecurity


Reference
Enroll for Certificates on Behalf of Other Users
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770802(v=ws.11)?redirectedfrom=MSDN

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



cer2.png (38.8 KiB)
cer3.png (35.6 KiB)
cer4.png (150.4 KiB)
cer5.png (40.1 KiB)
cer6.png (31.5 KiB)
cer7.png (44.2 KiB)
cer8.png (21.7 KiB)
cer9.png (14.9 KiB)
cer10.png (15.3 KiB)
cer22.png (63.7 KiB)
cer11.png (17.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BahramMaleki-9659 avatar image
0 Votes"
BahramMaleki-9659 answered

Thank you so much Daisy, But Still no luck, I am still getting following error:
"No certificates meet the application criteria"

It was working before but for somehow stopped working.

Thanks
BM

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BahramMaleki-9659,

Thank you for your update.

I have check one domain user without certificate issued using Enrollment Agent certificate template in user store.
The user is named B\yu.

91613-ap2.png

Then I request certificate with logged on user B\yu on behalf another user, I received the same error as you mentioned above.
91478-ap1.png


Would you please tell me whether you have troubleshooted as I mentioned above? If so, would you please tell me something above the result?



Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.






ap2.png (28.5 KiB)
ap1.png (20.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BahramMaleki-9659 avatar image
0 Votes"
BahramMaleki-9659 answered

91794-cert1.jpg



here is the issue, I have enrollment agent but getting the error,

Thanks


cert1.jpg (445.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BahramMaleki-9659,

Thank you so much for your update.

1.Please check if the root certificate and certificate status is OK as below.
91838-sta1.png

2.Check if this certificate is revoked or not.

Run command: certutil -urlfetch -verify <the full path of this cert>

For example:
certutil -urlfetch -verify C:\cer.cer


Cert is revoked.

91867-sta2.png

Cert is not revoked.
91883-sta3.png

3.Check the remaining lifetime of the root CA cert.
91790-sta4.png

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




sta1.png (19.8 KiB)
sta2.png (89.3 KiB)
sta3.png (31.9 KiB)
sta4.png (30.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.