[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CA Unable To Autoenroll Certificates

Posted on 2010-01-01
7
Medium Priority
?
2,666 Views
Last Modified: 2012-05-08
Hi ladies/gents,

As a new joiner to this forum I may not be up to scratch with the etiquettes of how a questions is supposed to be proposed so please bare with me, I'll try and provide the neccessary information so hopefully one of you experts can sort this niggling problem for me.

Problem description:

We currently have three certificate authorities with the following roles:

- Standalone Root Certificate - Offline - Issued certificates to Subordinate CA's and taken offline
- Enterprise Subordinate CA - Online - Issues certificates
- Enterprise Subordinate CA - Online - Issues certificates

 The certificate authorites are spread between two sites, site 1 which is considered the HDQ of operations contains the Standalone Root & one of the Enterprise subordinate machines and Site 2 has the remaining enterprise subordinate server. The 2 physical sites are connected via a Demand-Dial link

  We have encountered a problem whereby certificates are unable to be autoenrolled to the users, when selecting to manually request the desired certificate it does not appear to be published although the neccessary permissions have been provided (Read, Enroll and Autoenroll - Authenticated users). We believe this problem emanated from a merger which took place of two active directory forest which contained the two sites.

Essentially we have 4 sites (Subnets) with 4 DC's, two of the DC's are located in one physical site and the other two sites are also located in another physical site, each of these physical sites were once part of a separate active directory forest, each with their own certificate authorites. An active directory forest trust was instigated which followed onto a fully blown migration and finally decomissioning of the site 2 forest. From this point forward we have reason to believe the autoenrollment feature has never successfully worked.

Diagnostics:

1. We have uninstalled all the CA's and reinstalled again to no avail
2. We have restarted all 4 Domain Controllers to no avail
3. We have checked the event logs and cannot see any visible errors in relation to this problem
4. We have stopped and restarted the certificate services on all certificate authorities
5. The historic certificates which were previously autoenrolled are visible to the users when checking via the MMC certificates snapin, when adding any additional certificates to publish/autoenroll they are not viewable either via the MMC snapin or via the web enrollment page http://localhost/certsrv, when removing the historic certificates and re-adding them to be published and auto-enrolled it presents the existing problem
6. DNS is functioning with the clients able to ping the certificate authorities by hostname and via reverse lookup.

We had issues with the sysvol folder whereby it was unable to replicate the group policies from site 1 to site two, the following instructions were followed which were presented as a microsoft tech article:

"To work around this issue, set the SysvolReady Flag registry value to "0" and then back to "1" in the registry. To do this, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate the following subkey in Registry Editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
In the details pane, right-click SysvolReady Flag, and then click Modify.
In the Value data box, type 0 and then click OK.
Again in the details pane, right-click SysvolReady Flag, and then click Modify.
In the Value data box, type 1, and then click OK.
Note This will cause Netlogon to share out SYSVOL, and the scripts folder will be present."



I hope the above has been informative, if you require further information please do not hesitate to ask and I will try and provide you with the information as soon as possibly feasible.

Many thanks,

QuadXT




0
Comment
Question by:QuadXT
  • 3
  • 2
  • 2
7 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 26159439
Why is the Root certificate authority not an enterprise one and why is it offline?

Are there any Certificate issuing errors on the subordinate CA's?
Is your certificate issueing policy to issue or to place the certificate into pending mode where someone would need to approve the issuance of a certificate?  Look on each of the subordinate CA's pending folder within the CA MMC. or use the http://subordinateCA/certsrv and view the pending list.

When you configured the autoenrollment process, which CA was selected as the server to which the autoenrollment request should be made?

check to make sure that your CA's are also DCs, that they are members of the domain CERTSVC_DCOM_ACCESS group.  

What happens if you use the web interface http://subordinateCA/certsrv to request a certificate?
0
 

Author Comment

by:QuadXT
ID: 26165334
Hi arnold,

Thank you for the quick response, please find answers to your questions.

Why is the Root certificate authority not an enterprise one and why is it offline?

The infrastructure was set in this manner as I assume all certificate authorities were once standalone but as you probably are aware standalone CA's are unable to auto enroll certificates so I assume they decided to change the roles of only the sub ordinates rather then include a change to the Root CA as well. I wouldn't have thought a mixtue of both would cause problems anway, or would I be mistaken?

The reason why it is offline is due to enhance the security of the network as the only purpose for this particular role is to issue certificates to the subordinate CA's, once issued it can be taken offline as it will not issue down level certificates this will be left to the Subordinate CA's.

Are there any Certificate issuing errors on the subordinate CA's?

There is a DCOM error evident - Event ID 1016 on the subordinate CA based in site 2

Is your certificate issueing policy to issue or to place the certificate into pending mode where someone would need to approve the issuance of a certificate?

No the policy is to assign the certificate based on the permissions for that particular template, certificates that are issued do not need the approal of a CA Certificate Manager.

Look on each of the subordinate CA's pending folder within the CA MMC. or use the http://subordinateCA/certsrv and view the pending list.

I have checked the pending folder within the MMC snapin although the folder is completely empty

When you configured the autoenrollment process, which CA was selected as the server to which the autoenrollment request should be made?

I didnt think a selection could be made as to what CA would hold the responsibility to autoenroll, could this possibly be something I have missed when setting up the group policy for autoenrollment, although I am unable to find any settings within the GPO which would specify a certain CA to hold that ability

check to make sure that your CA's are also DCs, that they are members of the domain CERTSVC_DCOM_ACCESS group.

Now I was unable to find this particular group under the users container in Active Directory, I came across this microsoft tech article: http://support.microsoft.com/kb/927066

The following commands where run on all CA's as a result:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

This presented the group mentioned under the local users and groups folder, I continued the steps mentioned in the article and added both the domain users and the domain computers into the local group for all CA's. I also made sure CERTSVC_DCOM_ACCESS had allow local activation and allow remote activations rights unfortunately this failed to remedy the problem.

What happens if you use the web interface http://subordinateCA/certsrv to request a certificate?

This provides the same results as the MMC snap-in, the newly issued certificates do not appear as a choice to select from.

Appreciate your assistance in this matter and look forward to your reply.

Regards,

QuadXT

0
 
LVL 81

Expert Comment

by:arnold
ID: 26165470
http://technet.microsoft.com/en-us/library/cc756989%28WS.10%29.aspx

you have to bring the stand Alone root CA online, or create another pair of subordinate CAs to the current enterprise subordinate CAs which will convert the existing ones into intermediary CAs.

The part that explains your situation from the article above:


Note

    * Most organizations use one root CA and two policy CAs  one to support internal users, the second to support external users.

The next level in the CA hierarchy usually contains the issuing CA. The issuing CA issues certificates to users and computers and is almost always online. In many CA hierarchies, the lowest level of subordinate CAs is replaced by RAs, which can act as an intermediary for a CA by authenticating the identity of a user who is applying for a certificate, initiating revocation requests, and assisting in key recovery. Unlike a CA, however, an RA does not issue certificates or CRLs; it merely processes transactions on behalf of the CA.

Open in new window

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 26171726
The root should be a standalone because the root's server should be offline, which would be easiest if never joined to the domain.  Since not joined to the domain, it cannot be an enterprise CA.  This is a typical recommended setup.

You do NOT need to bring the root CA online.  It should remain offline.  I presume that when you reinstalled the subordinates that new certificates were issued to them - if not, you do not need to bring the root online, you should keep it offline and use a flash drive, floppy, etc. to transport the data.

What kind of autoenroll certs are you trying to get?  User or computer certs?  If computer certs (e.g. DC or workstation) then you need to view the Certificates MMC snapin under the computer context.  If a user cert (e.g. EFS or email user) then you need to view under the user context.  Look under the Personal - Certificates folders within the respective area for the cert you need.

Also, check the computer context of Certificate MMC under Trusted Root Certification Authorities - certificates - and look for your root certificate there on a domain joined box.  Also, check GPO to make sure it has the current root cert being deployed:
Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
Refer:
http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx

While in that general area, look around for relevant autoenroll type certificate settings to see if they are set properly.  If you aren't sure, just ask.

Also, check AD Sites & Services - View - Services Node - expand Services - Public Key Services - Certification Authorities.  Your root should be listed, is okay if the subs are or are not listed here but the root must be.  The subs should be listed under Enrollment Services folder.

Open certtmpl.msc (Certificate Templates MMC) and view the properties of the template(s) you are not getting autoenrolled.  In particular, check the Security tab for permissions and make sure that domain\users, DC, computers for each domain is listed for each relevant type for read, enroll, autoenroll - sounds like you looked at this a little bit already.

Open certsrv.msc (CA MMC) on the sub CA and expand CAName (name of the CA) - Certificate Templates and make sure the tempalte is listed - if not then right click - issue template... to assign it to the appropriate CA.  These groups should also be listed within the CERTSRV_DCOM_ACCESS group, which is a local security group on the CA if the CA is not a DC (which is should be just a member server), or if the CA is on a DC, then it would be an AD domain local security group.

You can get clients to recheck for certs by using 'certutil -pulse' - for XP clients they would need the 03 adminpak installed to get certutil, otherwise gpupdate /force and reboot (twice if memory serves, but check after first).

When manually requesting computer certs, you need to do so from the Certificates MMC - computer context.  Then right click Personal - Certificates folder and request the cert from there so it happens under the computer context, not the logged in user.  Even if the user has permission, they are not a computer so will be rejected as being an invalid requestor type.

Make sure your DC's are updated with certs from the correct CA as well.  You can run 'certutil -dcinfo deletebad' then 'certutil -pulse' then reboot the DC (a necessary evil unless 2008 R2, if so ask) - make sure to stagger the DC reboots of course so users can still log in.

Let's start with that for now....
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 26172092
Also, check the CRL Distribution Points (CDP) that are listed within the sub CA certs and a successfully issued user or computer cert (see details tab - CRL Distribution Point).  Make sure the CRL is reachable and current.  If things got renamed, the web servers and/or LDAP locations may have changed from what is listed.  Alternatively, you can check the CDP listings in the CA console on the root and sub CA's themselves, but due to using variables these can be kind of weird to look at.

You can also try looking at Enterprise PKI (aka PKI Health Tool) - pkiview.msc - and see if that points to anything.
0
 

Author Comment

by:QuadXT
ID: 26174679
Hi Arnold/Paranormastic,

Thank you for your assistance, there are some valid diagnostics provided which I am unfamiliar with (Which is good!!) so I will tend to performing all requested and get back to you guys with a response!!

Thanks again,

QuadXT
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 26352384
Any updates?
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question