SBS 2008 CertSvc rejecting auto-enrollment of computer (machine) certificate for Windows 7 domain member
Computers recently joined to the domain are not able to create the domain\computername$ Computer (Machine) certificate. They repeatedly get Appl Evt Log errors 6 and 13 - see attached.
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID 2858 from VMSERVER1.domain.xyz\DOMAI
unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)).
-and-
Automatic certificate enrollment for local system failed (0x8009480f) The DNS name is unavailable and cannot be added to the Subject Alternate name.
This is an SBS 2008 domain and the failing computers are Windows 7 (both currently/fully patched with Windows Update).
CertFail.txt
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID 2858 from VMSERVER1.domain.xyz\DOMAI
unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)).
-and-
Automatic certificate enrollment for local system failed (0x8009480f) The DNS name is unavailable and cannot be added to the Subject Alternate name.
This is an SBS 2008 domain and the failing computers are Windows 7 (both currently/fully patched with Windows Update).
CertFail.txt
David Johnson, CD
It is stating that the DNS name is unavailable, ensure that the computer is in your DNS records and also has a computer account.
ASKER
When the computer is joined to the domain, the computer account is created and the DNS record is also created. That much is working normally - only subsequent cert creation is failing.
Cert request (txt version attached) shows in the certsrv log. There is no Subject Alt Name in the request - but - perhaps that's what the policy module is objecting to, or unable to add. The cert request comes during boot of the new machine, long after the DNS name and computer account were created. Anyone know any way to get more detailed request/response logging around the cert request/creation/failure?
CertReq.txt
Cert request (txt version attached) shows in the certsrv log. There is no Subject Alt Name in the request - but - perhaps that's what the policy module is objecting to, or unable to add. The cert request comes during boot of the new machine, long after the DNS name and computer account were created. Anyone know any way to get more detailed request/response logging around the cert request/creation/failure?
CertReq.txt
Pls see below
- the template you are using allows the subject to be supplied in the request (and specify this template when submitting the request)
- the computer name is resolvable via DNS
http://support.microsoft.com/kb/330238
Alos "Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)"
http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx
- the template you are using allows the subject to be supplied in the request (and specify this template when submitting the request)
- the computer name is resolvable via DNS
http://support.microsoft.com/kb/330238
Alos "Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)"
http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx
ASKER
Thanks, breadtan, good articles. Note that the failure here is the autoenrollment for the machine cert issues after a workstation joins the domain. See notes below. Any additional help specific to this failure / DNS SubjAltName issue would be greatly appreciated.
Article #1: The join successfully adds the computer name to the DNS forward zone on the SBS server (where the cert svc is running) and a DNS lookup for the computer name works both by nslookup and by inet api (e.g., ping resolves the workstation name).
Article #2: This article seems designed to help debug the failure to create and send the certificate request to the CA.
In my case, the request is submitted, shows up in the log (see above attachments), but always fails. I can even manually request reissue in the CA and it fails. The status is always, " Request Status Code: 0x8009480f (-2146875377) -- The DNS name is unavailable and cannot be added to the Subject Alternate name."
I can see the template for Computer (machine) in the Certificate Templates Console and I don't see anything unusual looking (to me) in the Properties for that request. This is the only computer that is getting this error. I've removed it from the domain and readded. I've removed it, renamed it, readded. In all cases, exact same error on first login and several times a day.
Please let me know what other information might be helpful (the request and the error details are already attached earlier in this thread.)
Article #1: The join successfully adds the computer name to the DNS forward zone on the SBS server (where the cert svc is running) and a DNS lookup for the computer name works both by nslookup and by inet api (e.g., ping resolves the workstation name).
Article #2: This article seems designed to help debug the failure to create and send the certificate request to the CA.
In my case, the request is submitted, shows up in the log (see above attachments), but always fails. I can even manually request reissue in the CA and it fails. The status is always, " Request Status Code: 0x8009480f (-2146875377) -- The DNS name is unavailable and cannot be added to the Subject Alternate name."
I can see the template for Computer (machine) in the Certificate Templates Console and I don't see anything unusual looking (to me) in the Properties for that request. This is the only computer that is getting this error. I've removed it from the domain and readded. I've removed it, renamed it, readded. In all cases, exact same error on first login and several times a day.
Please let me know what other information might be helpful (the request and the error details are already attached earlier in this thread.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Good information for when this reoccurs. For the moment, I managed to work around the problem using: http://technet.microsoft.com/en-us/library/cc732425.aspx
(manually created the computer cert). That worked, of course, I expect it will fail again some time, but I can't recreate the issue now.
Since the KB articles and info you gave me led me to this work-around for the problem, I'm going to mark Accept as Solution. Thanks for the help - I understand a lot more about this issue now and will pickup with you suggestion above when it happens again.
(manually created the computer cert). That worked, of course, I expect it will fail again some time, but I can't recreate the issue now.
Since the KB articles and info you gave me led me to this work-around for the problem, I'm going to mark Accept as Solution. Thanks for the help - I understand a lot more about this issue now and will pickup with you suggestion above when it happens again.
ASKER
As noted in follow-up post, I worked around the problem (manually issued the cert) based on information this expert supplied. That's good enough for now - I'll archive this info and pickup here whenever this occurs again. Thanks - I'm back up and running now!
Thanks glad to have helped, just to add below link for interest
Why is autoenrollment only happening if initiated manually through the MMC?
http://blogs.technet.com/b/instan/archive/2011/04/13/why-is-autoenrollment-only-happening-if-initiated-manually-through-the-mmc.aspx
Why is autoenrollment only happening if initiated manually through the MMC?
http://blogs.technet.com/b/instan/archive/2011/04/13/why-is-autoenrollment-only-happening-if-initiated-manually-through-the-mmc.aspx
ASKER
That is the interesting part here - the autoenrollment attempt was occurring regularly (and every certutil -pulse, for instance). The problem is that the autoenrollment was failing at tje server due to the PKCS10 Certificate Request containing "Subject: EMPTY". That subject should be the FQDN of the computer being enrolled. When I manually enrolled the computer, the Subject in the request was properly filled with FQDN. When autoenrollment occurred, the Subject was blank. I suspect something about the account being used for the scheduled autoenrollment task? Any ideas?
Quick check from MS site though it is IAS server but thought may be useful as it may be pertaining to the template or maybe re-generate another new template
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
However, there is other that is valid with empty filed for subject
http://technet.microsoft.com/en-us/library/cc787009(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
If you have issued a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To change this, you can use Certificate Templates to create a new certificate for enrollment on your IAS server. In the certificate properties, on the Subject Name tab, in Subject name format, select a value other than None.
The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To configure the certificate template with a Subject name:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Subject name format, select a value other than None.
However, there is other that is valid with empty filed for subject
http://technet.microsoft.com/en-us/library/cc787009(v=ws.10).aspx
A certificate that was issued based on the Domain Controller Authentication certificate template has the following characteristics.
The subject of the certificate is empty.
The certificate purposes (also known as extended key-usage) are set to “Client Authentication (1.3.6.1.5.5.7.3.2)”, “Server Authentication (1.3.6.1.5.5.7.3.1)”, and “Smart Card Logon (1.3.6.1.4.1.311.20.2.2)”.The numbers in parentheses are the corresponding object identifier for each certificate purpose.
The common name of the template is set to “Domain Controller Authentication” or the name of the template that was specified in the certificate request for this certificate type.
The Subject Alternative Name extension contains the domain controller’s fully qualified DNS name of the domain controller.
A certificate that was issued based on the Directory Email Replication certificate template has the following characteristics.
The subject of the certificate is empty.
The certificate purpose (also known as extended key-usage) is set to “Directory Service Email Replication (1.3.6.1.4.1.311.21.19)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.
The common name of the template is set to “DirectoryEmailReplication” or the name of the template that was specified in the certificate request for this certificate type.
The Subject Alternative Name extension contains the domain controller’s GUID in object identifier 1.3.6.1.4.1.311.25.1 and the FQDN of the domain controller.