SBS 2008 CertSvc rejecting auto-enrollment of computer (machine) certificate for Windows 7 domain member

fmoultrie
fmoultrie used Ask the Experts™
on
Computers recently joined to the domain are not able to create the domain\computername$ Computer (Machine) certificate. They repeatedly get Appl Evt Log errors 6 and 13 - see attached.

Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID 2858 from VMSERVER1.domain.xyz\DOMAIN.XYZ SBS2008 CA (The DNS name is
unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)).

-and-

Automatic certificate enrollment for local system failed (0x8009480f) The DNS name is unavailable and cannot be added to the Subject Alternate name.

This is an SBS 2008 domain and the failing computers are Windows 7 (both currently/fully patched with Windows Update).
CertFail.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
It is stating that the DNS name is unavailable, ensure that the computer is in your DNS records and also has a computer account.

Author

Commented:
When the computer is joined to the domain, the computer account is created and the DNS record is also created. That much is working normally - only subsequent cert creation is failing.

Cert request (txt version attached) shows in the certsrv log. There is no Subject Alt Name in the request - but - perhaps that's what the policy module is objecting to, or unable to add. The cert request comes during boot of the new machine, long after the DNS name and computer account were created. Anyone know any way to get more detailed request/response logging around the cert request/creation/failure?
CertReq.txt
btanExec Consultant
Distinguished Expert 2018

Commented:
Pls see below
- the template you are using allows the subject to be supplied in the request (and specify this template when submitting the request)
- the computer name is resolvable via DNS

http://support.microsoft.com/kb/330238

Alos "Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)"
http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Author

Commented:
Thanks, breadtan, good articles. Note that the failure here is the autoenrollment for the machine cert issues after a workstation joins the domain. See notes below. Any additional help specific to this failure / DNS SubjAltName issue would be greatly appreciated.

Article #1: The join successfully adds the computer name to the DNS forward zone on the SBS server (where the cert svc is running) and a DNS lookup for the computer name works both by nslookup and by inet api (e.g., ping resolves the workstation name).

Article #2: This article seems designed to help debug the failure to create and send the certificate request to the CA.

In my case, the request is submitted, shows up in the log (see above attachments), but always fails. I can even manually request reissue in the CA and it fails. The status is always, "  Request Status Code: 0x8009480f (-2146875377) -- The DNS name is unavailable and cannot be added to the Subject Alternate name."

I can see the template for Computer (machine) in the Certificate Templates Console and I don't see anything unusual looking (to me) in the Properties for that request. This is the only computer that is getting this error. I've removed it from the domain and readded. I've removed it, renamed it, readded. In all cases, exact same error on first login and several times a day.

Please let me know what other information might be helpful (the request and the error details are already attached earlier in this thread.)
Exec Consultant
Distinguished Expert 2018
Commented:
Just to make sure, this ref "troubleshooting enrollment"- http://blogs.technet.com/b/xdot509/archive/2012/10/18/troubleshooting-autoenrollment.aspx

-  determine the GPO is applying to the machine by running RSOP.MSC on the affected machine and seeing if the autoenrollment setting is applied.
- verify that the Client Side Extensions are setting the registry keys associated with autoenrollment.
- principal requesting the certificate must have Read, Enroll, and AutoEnroll permissions on the certificate template on which the certificate request is based on.
- the security template must be configured to build the subject/subject alternate name from Active Directory information.

Typically, the Subject Alternate Name is used for the authentication of the client. Windows Certificate Services only allows the use of DNS name or SPN for the alternate. will be good for name format to use fully qualified domain names for site systems in Configuration Manager (required for Internet-based client management, and recommended for clients on the intranet).

There is logging of autoenrollment processes to include warning and informational messages, the following registry values must be created.
User Autoenrollment
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named AEEventLogLevel"; set value to 0.
Machine Autoenrollment
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

Another with additional logging for the issue persisting, we can enable the CAPI2 logging. For the steps to enable the CAPI2 log, please refer to the "Enable and save the CAPI2 log from Event Viewer" section at http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx.

Author

Commented:
Thanks. Good information for when this reoccurs. For the moment, I managed to work around the problem using: http://technet.microsoft.com/en-us/library/cc732425.aspx 
(manually created the computer cert). That worked, of course, I expect it will fail again some time, but I can't recreate the issue now.

Since the KB articles and info you gave me led me to this work-around for the problem, I'm going to mark Accept as Solution. Thanks for the help - I understand a lot more about this issue now and will pickup with you suggestion above when it happens again.

Author

Commented:
As noted in follow-up post, I worked around the problem (manually issued the cert) based on information this expert supplied. That's good enough for now - I'll archive this info and pickup here whenever this occurs again. Thanks - I'm back up and running now!
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks glad to have helped, just to add below link for interest

Why is autoenrollment only happening if initiated manually through the MMC?
http://blogs.technet.com/b/instan/archive/2011/04/13/why-is-autoenrollment-only-happening-if-initiated-manually-through-the-mmc.aspx

Author

Commented:
That is the interesting part here - the autoenrollment attempt was occurring regularly (and every certutil -pulse, for instance). The problem is that the autoenrollment was failing at tje server due to the PKCS10 Certificate Request containing "Subject: EMPTY". That subject should be the FQDN of the computer being enrolled. When I manually enrolled the computer, the Subject in the request was properly filled with FQDN. When autoenrollment occurred, the Subject was blank. I suspect something about the account being used for the scheduled autoenrollment task? Any ideas?
btanExec Consultant
Distinguished Expert 2018

Commented:
Quick check from MS site though it is IAS server but thought may be useful as it may be pertaining to the template or maybe re-generate another new template

http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx

If you have issued a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To change this, you can use Certificate Templates to create a new certificate for enrollment on your IAS server. In the certificate properties, on the Subject Name tab, in Subject name format, select a value other than None.

The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To configure the certificate template with a Subject name:

Open Certificate Templates.

In the details pane, right-click the certificate template that you want to change, and then click properties.

Click the Subject Name tab, and then click Build from this Active Directory information.

In Subject name format, select a value other than None.

However, there is other that is valid with empty filed for subject

http://technet.microsoft.com/en-us/library/cc787009(v=ws.10).aspx

A certificate that was issued based on the Domain Controller Authentication certificate template has the following characteristics.
The subject of the certificate is empty.

The certificate purposes (also known as extended key-usage) are set to “Client Authentication (1.3.6.1.5.5.7.3.2)”, “Server Authentication (1.3.6.1.5.5.7.3.1)”, and “Smart Card Logon (1.3.6.1.4.1.311.20.2.2)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.

The common name of the template is set to “Domain Controller Authentication” or the name of the template that was specified in the certificate request for this certificate type.

The Subject Alternative Name extension contains the domain controller’s fully qualified DNS name of the domain controller.

A certificate that was issued based on the Directory Email Replication certificate template has the following characteristics.
The subject of the certificate is empty.

The certificate purpose (also known as extended key-usage) is set to “Directory Service Email Replication (1.3.6.1.4.1.311.21.19)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.

The common name of the template is set to “DirectoryEmailReplication” or the name of the template that was specified in the certificate request for this certificate type.

The Subject Alternative Name extension contains the domain controller’s GUID in object identifier 1.3.6.1.4.1.311.25.1 and the FQDN of the domain controller.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial