jchambers69
asked on
can't get a machine certificate issued.
I have auto-enrollment enabled via a GP. I am having trouble getting machine certficates issued to a machine in a child domain. I get the following error on the local machine but nothing the machine the hosts the CA.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 3/25/2005
Time: 1:39:34 PM
User: N/A
Computer: COmputer
Description:
Automatic enrollment against the certification authority <CA name> for a certificate of type Machine has failed. (0x80070721) A security package specific error occurred.
. Another certification authority will be tried.
Any Ideas?
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 3/25/2005
Time: 1:39:34 PM
User: N/A
Computer: COmputer
Description:
Automatic enrollment against the certification authority <CA name> for a certificate of type Machine has failed. (0x80070721) A security package specific error occurred.
. Another certification authority will be tried.
Any Ideas?
ASKER
I add those settings and still get the same error. Any other ideas?
Thanks
Thanks
Did you check the machinekeys permissions? Also, these permissions need to be forced onto the files already present on your systems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278381
http://support.microsoft.com/default.aspx?scid=kb;en-us;278381
ASKER
Phil, I followed the KB and still no luck.
Any other ideas?
Any other ideas?
Do you get any entries on the Security log of the CA?
Any failed cert requests in the CA log?
Any failed cert requests in the CA log?
Sorry jchambers69, I don't have anything else to offer.
Besides CA logs as swinterborn requests, do have any other logs or error messages?
Besides CA logs as swinterborn requests, do have any other logs or error messages?
ASKER
The only erros that get registered are on the machine that can't get the certificate and the error listed above is it. There is no errors in the logs of the CA and no failed certificate requests listed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am issuing them via the default domain policy. It has worked for other machines.
Thanks all.
Thanks all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Phil and Swinterborn,
Thanks for the ideas. I few other issues appear to be the root cause of the problem. The machine the CA sits on can't establish a secure channel to the AD servers. I have called in our consultants to assist.
thanks,
John
Thanks for the ideas. I few other issues appear to be the root cause of the problem. The machine the CA sits on can't establish a secure channel to the AD servers. I have called in our consultants to assist.
thanks,
John
Firstly on the CA, right click the CA in the CA mmc, ensure ChildDomain\Domain Computers has permission to requ;est a cert.
Secondly, in AD Sites and Services, check the ACL on the Computer template in Services/Public Key Services/Certificate Templates and again ensure the Domain Computers group has permission to read the template.
HTH