• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 987
  • Last Modified:

can't get a machine certificate issued.

I have auto-enrollment enabled via a GP. I am having trouble getting machine certficates issued to a machine in a child domain. I get the following error on the local machine but nothing the machine the hosts the CA.

Event Type:      Warning
Event Source:      Winlogon
Event Category:      None
Event ID:      1010
Date:            3/25/2005
Time:            1:39:34 PM
User:            N/A
Computer:      COmputer
Description:
Automatic enrollment against the certification authority <CA name> for a certificate of type Machine has failed.  (0x80070721) A security package specific error occurred.
.   Another certification authority will be tried.

Any Ideas?
0
jchambers69
Asked:
jchambers69
  • 5
  • 3
  • 3
2 Solutions
 
swinterbornCommented:
There are 2 security settings to check.

Firstly on the CA, right click the CA in the CA mmc, ensure ChildDomain\Domain Computers has permission to requ;est a cert.
Secondly, in AD Sites and Services, check the ACL on the Computer template in Services/Public Key Services/Certificate Templates and again ensure the Domain Computers group has permission to read the template.

HTH
0
 
jchambers69Author Commented:
I add those settings and still get the same error. Any other ideas?

Thanks
0
 
Phil_AgcaoiliCommented:
Did you check the machinekeys permissions? Also, these permissions need to be forced onto the files already present on your systems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278381
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
jchambers69Author Commented:
Phil, I followed the KB and still no luck.

Any other ideas?
0
 
swinterbornCommented:
Do you get any entries on the Security log of the CA?
Any failed cert requests in the CA log?
0
 
Phil_AgcaoiliCommented:
Sorry jchambers69, I don't have anything else to offer.

Besides CA logs as swinterborn requests, do have any other logs or error messages?
0
 
jchambers69Author Commented:
The only erros that get registered are on the machine that can't get the certificate and the error listed above is it. There is no errors in the logs of the CA and no failed certificate requests listed.

0
 
Phil_AgcaoiliCommented:
You stumped me, I'd open a ticket with Microsoft on this one because there's no other reference to this error on the Net.

What guides are you following to install machine certficates?
0
 
jchambers69Author Commented:
I am issuing them via the default domain policy. It has worked for other machines.

Thanks all.
0
 
swinterbornCommented:
Possibly need to look at the client machine itself. Are there any other errors in its logs?

Its always worth dropping client machines out of the domain and rejoining when you get odd domain security issues.

HTH
0
 
jchambers69Author Commented:
Phil and Swinterborn,

Thanks for the ideas. I few other issues appear to be the root cause of the problem. The machine the CA sits on can't establish a secure channel to the AD servers. I have called in our consultants to assist.

thanks,
John
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

  • 5
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now