Auto enrollment of user certificate.

Afsar_sar used Ask the Experts™
Platform: Server 2003 Entp, Configured Enterprise certificate athurity
GPO status : Auto enrollment for user certificate
Key Usage: MAPI clinets uses to send encrypted email.
Accomplishment:  All the user are created under such OU where the policy has been applied ,they are getting certificate automatically from the server .while at the time of first logon.
Predicament:  Users are failed to auto renewal of his expire certificate and generating the error id no 13 (note)

Please refer the attach file to view the GPOs
note:I change the time of server and clients to verify the certificate renewal process
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason WatkinsIT Project Leader

This may help you start troubleshooting.  I have always had issues with user certificate auto enrollment.  Make sure the XP clients are at SP2 or better and that everyone's clock is within 5min of the DC/CertSrv
Steven WellsSystems Administrator
Have you tried re-issuing the certificate?

You are better off having longer certificate periods.
Cryptographic Engineer
Make sure that the user group is a member of the CERTSRV_DCOM_ACCESS group.  This is a local group on the CA, unless you installed the CA on a DC in which case it will be a domain group.  Usually domain computers and domain users are a member of this already, it is more common to see this happen to DCs when the Domain Controllers group is not included in this group.  However, this may have been modified, so double check to be on the safe side.

Also, make sure that in the certificate templates MMC that the renewal period is an appropriate time (more than 0, less than validity period of cert).  The renewal period is the period of time prior to the expiration, not the time after issuance.  Also confirm that read, enroll, autoenroll permissions are granted to the group and not denied to another group they may be a member of.

You can try using the command on the client 'certutil -pulse' to pulse autoenrollment events.  Rebooting the client may also help.

If there are software or hardware firewalls in the way, you might check logs on those.

There are also a number of different things to try here:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial