question

Blitz-9407 avatar image
0 Votes"
Blitz-9407 asked DaisyZhou-MSFT commented

Computer Certificate autoenrollment not working

Hi, everyone! I have a problem with computer certificate autoenrollment and I've done a lot of search and troubleshooting and seems I'm stuck.

I'm in an AD environment with internal PKI infrastructure, root ca is offline and there are two intermediate CAs (one old, one new) issuing certificate for my domain clients.

I'm using CA template to automatically push certificate to clients which is working well, but I did one change to one of my cert template and i need all clients to re-enroll certificate, I had discovered there is an option to Reenroll all Certificate Holders using the template - so I tried this in the lab and everything works like a charm. The template number has incremented and clients were re-enrolling certificates on the next GPO cycle.

So i've moved to the production, did the same, and nothing, no errors in event log, just some warnings but didn't look interesting.
From Wireshark traffic capture I could see there are no request from client to CA, just talking with DCs and end the communication after. The curious thing is that in capture i can see that the certificate template number is incremented in the traffic from DC than is the certificate template number on my client but there are no attempts to enroll new one...

Can anyone please advise?

Regards

windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Blitz-9407,

Thank you for your update.

If AD replication is working fine and the certificate template we mentioned is on all DCs. It seems it does not matter with AD replication.

We can check:

1.What is the Schema Version of the certificate template we mentioned?
22333-ver1.png


2.In my lab, I find if I click "Reenroll All Certificate Holders", the "Version" of certificate template (or "Major Version" of certificate template) will be changed, and after the client update GPO, the "Version" of certificate template on the corresponding certificates (or "Major Version" of certificate template) will be the same as on certificate template.

For example,

121.0 => Major Version Number=121, Minor Version Number=0

22333-ver1.png

22334-ver2.png


So we can check whether the "Version" of certificate template (or "Major Version" of certificate template) is changed after we click "Reenroll All Certificate Holders".

Whether the "Version" of certificate template (or "Major Version" of certificate template) on certificate template is changed.

3.If the version on certificate template is changed but on certificate is not changed, we can run gpupdate /force or certutil -pulse on client to see if it helps.

4.Refresh the certificate Store on client.
22238-ver3.png


Best Regards,
Daisy Zhou



ver1.png (27.2 KiB)
ver2.png (21.8 KiB)
ver3.png (40.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Blitz-9407,

Thank you for posting here.

I did a test in my ab and it works fine.

We can check the information below in your production environment:
1.Check whether this machine has configured certificate auto enrollment GPO.
2.Check whether the certificate template is issued on CA server.
3.Check whether the machine has read, enroll and autoenroll permissions for this certificate template.
4.Check whether all machines or only one machine has such issue.

If it does not work above, because certificate templates are stored on DCs not CA server, please check AD replication is working fine by running repadmin /showrepl and repadmin /replsum.

I mean if the machine we mentioned is pulled certificate template from one DC, but maybe the certificate template is not on this DC due to AD replication issue.

Hope the information above is helpful, if anything is unclear, please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Blitz-9407 avatar image
0 Votes"
Blitz-9407 answered

Hello Daisy, thanks for your reply.

  1. Yes, I got a Automatic certificate management enabled, with Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates and Update and manage certificates that use certificate templates from Active Directory enabled too.

  2. Yes, seems good.

  3. Authenticated users have read. Domain computers have read, enroll and auto-enroll on the template so should be fine.

  4. Its all of them


Sorry, but how to find out where they are stored? I see an entry for the template in adsi -> configuration -> Services -> PKI -> Certification templates.
Anyway, repadmin shows all good, we are all in single site domain so I'm not suspecting replications to be the problem. All DCs showing the same template (even version) so probably it's stored on DCs.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Blitz-9407 avatar image
0 Votes"
Blitz-9407 answered DaisyZhou-MSFT commented

Hi there, wow I can't believe I did such a mistake!

In the lab, I clicked the button, and the major version incremented to 102, and the minor was 0.
But in the production, I had major template number 100 and minor was 2, I did some changes and minor incremented to 3, right after the change clicked to "Reenroll All Certificate Holders" - but it seems that I didn't really click because the template version stayed 100.3 and it confused me enough to change major with minor believing everything is good on CA a problem is somewhere on clients side. So major template number wasn't really incremented therefore clients weren't re-enrolling.

Now once I've gone through it again by your pictures and realized my mistake! Thanks, @DaisyZhou-MSFT so much for your help! Before asking there I was digging deeper into the certificate enrollment process looking for a potential problem and I've seen the template number numerous times during the process always believing its correct and never noticing my mistake.

Now once I really clicked to reenroll and the major template number has incremented it works smoothly.

Thanks again!

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image DaisyZhou-MSFT ·

Hello @Blitz-9407,

Thank you for your update and accepting my reply as answer. I’m very glad that the problem has been solved.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Have a nice day!


Best Regards,
Daisy Zhou

0 Votes 0 ·