Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

can't get a machine certificate issued.

Posted on 2005-03-25
11
Medium Priority
?
977 Views
Last Modified: 2013-12-04
I have auto-enrollment enabled via a GP. I am having trouble getting machine certficates issued to a machine in a child domain. I get the following error on the local machine but nothing the machine the hosts the CA.

Event Type:      Warning
Event Source:      Winlogon
Event Category:      None
Event ID:      1010
Date:            3/25/2005
Time:            1:39:34 PM
User:            N/A
Computer:      COmputer
Description:
Automatic enrollment against the certification authority <CA name> for a certificate of type Machine has failed.  (0x80070721) A security package specific error occurred.
.   Another certification authority will be tried.

Any Ideas?
0
Comment
Question by:jchambers69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 5

Expert Comment

by:swinterborn
ID: 13633553
There are 2 security settings to check.

Firstly on the CA, right click the CA in the CA mmc, ensure ChildDomain\Domain Computers has permission to requ;est a cert.
Secondly, in AD Sites and Services, check the ACL on the Computer template in Services/Public Key Services/Certificate Templates and again ensure the Domain Computers group has permission to read the template.

HTH
0
 
LVL 3

Author Comment

by:jchambers69
ID: 13643489
I add those settings and still get the same error. Any other ideas?

Thanks
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13644183
Did you check the machinekeys permissions? Also, these permissions need to be forced onto the files already present on your systems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278381
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 3

Author Comment

by:jchambers69
ID: 13646313
Phil, I followed the KB and still no luck.

Any other ideas?
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 13650946
Do you get any entries on the Security log of the CA?
Any failed cert requests in the CA log?
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13654541
Sorry jchambers69, I don't have anything else to offer.

Besides CA logs as swinterborn requests, do have any other logs or error messages?
0
 
LVL 3

Author Comment

by:jchambers69
ID: 13656526
The only erros that get registered are on the machine that can't get the certificate and the error listed above is it. There is no errors in the logs of the CA and no failed certificate requests listed.

0
 
LVL 12

Assisted Solution

by:Phil_Agcaoili
Phil_Agcaoili earned 750 total points
ID: 13656795
You stumped me, I'd open a ticket with Microsoft on this one because there's no other reference to this error on the Net.

What guides are you following to install machine certficates?
0
 
LVL 3

Author Comment

by:jchambers69
ID: 13657097
I am issuing them via the default domain policy. It has worked for other machines.

Thanks all.
0
 
LVL 5

Accepted Solution

by:
swinterborn earned 750 total points
ID: 13660682
Possibly need to look at the client machine itself. Are there any other errors in its logs?

Its always worth dropping client machines out of the domain and rejoining when you get odd domain security issues.

HTH
0
 
LVL 3

Author Comment

by:jchambers69
ID: 13761875
Phil and Swinterborn,

Thanks for the ideas. I few other issues appear to be the root cause of the problem. The machine the CA sits on can't establish a secure channel to the AD servers. I have called in our consultants to assist.

thanks,
John
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question