Muhammad_Amjad
asked on
Automatic certificate enrollment
Automatic certificate enrollment for xyz\administrator failed to enroll for one Auto enroll Smartcard User certificate (0x80070005). Access is denied
ASKER
1st of all we are not using CA, OS of the domain controller is windows 2003 EE and its runing with SP2.
OS of clients machine were windows Xp with Sp2, event ID of the error is Event Id 13
OS of clients machine were windows Xp with Sp2, event ID of the error is Event Id 13
Sorry Muhammad, I am confused, if you are not using CA then where are you getting your certificates from?
ASKER
actually we are not usning any CA
Now I am really confused!!
Your clients are using smart cards to logon, but you have no Certificate Authority to issue the corresponidng certificates, either internally or externally.
The error relates to a failure to autoenroll for a certificate which does not exist on a CA which does not exisit.
Sorry but I must be missing something here.
Your clients are using smart cards to logon, but you have no Certificate Authority to issue the corresponidng certificates, either internally or externally.
The error relates to a failure to autoenroll for a certificate which does not exist on a CA which does not exisit.
Sorry but I must be missing something here.
ASKER
thats the main thing non of our clients are using smart card, but i am still getting those errors
OK, now I get it. Thank you.
Where are these errors generated? Is it server or client? Identify the machine generating the errors. It would seem that something is configured to autoenroll for this certificate. Also take a look at GPOs you have configured.
Where are these errors generated? Is it server or client? Identify the machine generating the errors. It would seem that something is configured to autoenroll for this certificate. Also take a look at GPOs you have configured.
ASKER
Its generating on the DC
ASKER
any update?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
what if i disable the auto enrollment on my domain controller to get rid of those errors?
What is your DC set up to autoenroll?
Just to verify that there are not any rogue CA's in your network, you may want to check this out:
Administrative Tools -> Active Directory Sites and Services
In the MMC, highlight "Active Directory Sites and Services [server.fqdn]
View -> Show Services Node
Expand Services
Look for Public Key Services - if this is there, expand that and highlight Certification Authorities
If there are any servers listed in the details pane then this should hopefully point you to what CA is installed - at least a machine name and the CA name to start from.
Administrative Tools -> Active Directory Sites and Services
In the MMC, highlight "Active Directory Sites and Services [server.fqdn]
View -> Show Services Node
Expand Services
Look for Public Key Services - if this is there, expand that and highlight Certification Authorities
If there are any servers listed in the details pane then this should hopefully point you to what CA is installed - at least a machine name and the CA name to start from.
What OS and Service Pack is the CA server?
What OS and Service Pack for the client?
Does the template allow for autoenroll?
Is there an Event ID?