I've got a Server 2008 R2 Enterprise Certificate server. I'm trying to setup my workstation to be an enrollment agent so I can enroll on behalf of other users from the Certificate Manager snap-in.
Here's what I've done so far.
My user account is a Domain Admin, and I've verified that Domain Admins have Read/Enroll permissions for the Enrollment Agent template and the template that I want to enroll on behalf of.
From my workstation, I've requested and received an Enrollment Agent certificate, and it currently resides in my Local User -> Personal -> Certificate store.
When I try and "Enroll on Behalf of," I am unable to see that Enrollment Agent certificate (see attached screenshot).
I've tried placing the Enrollment Agent Certificate in almost every local certificate store, and I still can't select it when enrolling on behalf of another user.
I logged in as the Domain Administrator account on the CA server, requested an Enrollment Agent Certificate, and am able to enroll on behalf of other users just fine, but only when logged into the CA server as the Domain Admin.
I haven't tested logging in as myself on the CA server, or logging on to my workstation as Domain Admin to narrow down if it is the Account or the Computer that is enabling me to EOBO when logged in as Domain Admin on the CA server.