Avatar of fmoultrie
fmoultrie
Flag for United States of America asked on

SBS 2008 CertSvc rejecting auto-enrollment of computer (machine) certificate for Windows 7 domain member

Computers recently joined to the domain are not able to create the domain\computername$ Computer (Machine) certificate. They repeatedly get Appl Evt Log errors 6 and 13 - see attached.

Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID 2858 from VMSERVER1.domain.xyz\DOMAIN.XYZ SBS2008 CA (The DNS name is
unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)).

-and-

Automatic certificate enrollment for local system failed (0x8009480f) The DNS name is unavailable and cannot be added to the Subject Alternate name.

This is an SBS 2008 domain and the failing computers are Windows 7 (both currently/fully patched with Windows Update).
CertFail.txt
Windows 7SBSSecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
David Johnson, CD

It is stating that the DNS name is unavailable, ensure that the computer is in your DNS records and also has a computer account.
fmoultrie

ASKER
When the computer is joined to the domain, the computer account is created and the DNS record is also created. That much is working normally - only subsequent cert creation is failing.

Cert request (txt version attached) shows in the certsrv log. There is no Subject Alt Name in the request - but - perhaps that's what the policy module is objecting to, or unable to add. The cert request comes during boot of the new machine, long after the DNS name and computer account were created. Anyone know any way to get more detailed request/response logging around the cert request/creation/failure?
CertReq.txt
btan

Pls see below
- the template you are using allows the subject to be supplied in the request (and specify this template when submitting the request)
- the computer name is resolvable via DNS

http://support.microsoft.com/kb/330238

Alos "Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)"
http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
fmoultrie

ASKER
Thanks, breadtan, good articles. Note that the failure here is the autoenrollment for the machine cert issues after a workstation joins the domain. See notes below. Any additional help specific to this failure / DNS SubjAltName issue would be greatly appreciated.

Article #1: The join successfully adds the computer name to the DNS forward zone on the SBS server (where the cert svc is running) and a DNS lookup for the computer name works both by nslookup and by inet api (e.g., ping resolves the workstation name).

Article #2: This article seems designed to help debug the failure to create and send the certificate request to the CA.

In my case, the request is submitted, shows up in the log (see above attachments), but always fails. I can even manually request reissue in the CA and it fails. The status is always, "  Request Status Code: 0x8009480f (-2146875377) -- The DNS name is unavailable and cannot be added to the Subject Alternate name."

I can see the template for Computer (machine) in the Certificate Templates Console and I don't see anything unusual looking (to me) in the Properties for that request. This is the only computer that is getting this error. I've removed it from the domain and readded. I've removed it, renamed it, readded. In all cases, exact same error on first login and several times a day.

Please let me know what other information might be helpful (the request and the error details are already attached earlier in this thread.)
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
fmoultrie

ASKER
Thanks. Good information for when this reoccurs. For the moment, I managed to work around the problem using: http://technet.microsoft.com/en-us/library/cc732425.aspx 
(manually created the computer cert). That worked, of course, I expect it will fail again some time, but I can't recreate the issue now.

Since the KB articles and info you gave me led me to this work-around for the problem, I'm going to mark Accept as Solution. Thanks for the help - I understand a lot more about this issue now and will pickup with you suggestion above when it happens again.
fmoultrie

ASKER
As noted in follow-up post, I worked around the problem (manually issued the cert) based on information this expert supplied. That's good enough for now - I'll archive this info and pickup here whenever this occurs again. Thanks - I'm back up and running now!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
btan

Thanks glad to have helped, just to add below link for interest

Why is autoenrollment only happening if initiated manually through the MMC?
http://blogs.technet.com/b/instan/archive/2011/04/13/why-is-autoenrollment-only-happening-if-initiated-manually-through-the-mmc.aspx
fmoultrie

ASKER
That is the interesting part here - the autoenrollment attempt was occurring regularly (and every certutil -pulse, for instance). The problem is that the autoenrollment was failing at tje server due to the PKCS10 Certificate Request containing "Subject: EMPTY". That subject should be the FQDN of the computer being enrolled. When I manually enrolled the computer, the Subject in the request was properly filled with FQDN. When autoenrollment occurred, the Subject was blank. I suspect something about the account being used for the scheduled autoenrollment task? Any ideas?
btan

Quick check from MS site though it is IAS server but thought may be useful as it may be pertaining to the template or maybe re-generate another new template

http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx

If you have issued a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To change this, you can use Certificate Templates to create a new certificate for enrollment on your IAS server. In the certificate properties, on the Subject Name tab, in Subject name format, select a value other than None.

The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To configure the certificate template with a Subject name:

Open Certificate Templates.

In the details pane, right-click the certificate template that you want to change, and then click properties.

Click the Subject Name tab, and then click Build from this Active Directory information.

In Subject name format, select a value other than None.

However, there is other that is valid with empty filed for subject

http://technet.microsoft.com/en-us/library/cc787009(v=ws.10).aspx

A certificate that was issued based on the Domain Controller Authentication certificate template has the following characteristics.
The subject of the certificate is empty.

The certificate purposes (also known as extended key-usage) are set to “Client Authentication (1.3.6.1.5.5.7.3.2)”, “Server Authentication (1.3.6.1.5.5.7.3.1)”, and “Smart Card Logon (1.3.6.1.4.1.311.20.2.2)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.

The common name of the template is set to “Domain Controller Authentication” or the name of the template that was specified in the certificate request for this certificate type.

The Subject Alternative Name extension contains the domain controller’s fully qualified DNS name of the domain controller.

A certificate that was issued based on the Directory Email Replication certificate template has the following characteristics.
The subject of the certificate is empty.

The certificate purpose (also known as extended key-usage) is set to “Directory Service Email Replication (1.3.6.1.4.1.311.21.19)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.

The common name of the template is set to “DirectoryEmailReplication” or the name of the template that was specified in the certificate request for this certificate type.

The Subject Alternative Name extension contains the domain controller’s GUID in object identifier 1.3.6.1.4.1.311.25.1 and the FQDN of the domain controller.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck