Use of certificates across different AD forests
Posted on 2009-07-16
Our company has just had a merger. This means that we have 4 AD forests. Forest1 has an AD integrated certificate server which is used for 802.1x authentication. The other forests do not have a certificate server. We are currently in the process for migrating everyone to Forest1, but in the meantime we need everyone is the other forests to be able to use forest1's certificates for authentication. Would this be possible? There are trusts between the domains, but we can't seem to get it working.
Each time we browse to the certificate server to request a new certificate we get the following message:
Certificate Request Denied
Your certificate request was denied.
Your Request Id is 13024. The disposition message is "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled. CN=XXXXX,CN=Users,DC=XXXXX,DC=XXX,DC=XXX ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'XXXXX.XXX.XXX' ".
Contact your administrator for further information.
Is there any way to enable Cross forest enrolment? From what we have read you need windows 2008 server. At the moment we only have 2003 server. We would also like to do this without having to introduce new certificate servers to the domains.
Thanks for any help you can give