MFAFC
asked on
Certificate is not auto enrolling
Hi,
I'm brand new to experts exchange and am hoping somebody can assist me with the below.
I'm not hugely familiar with CA's, NPS etc but here goes.
We have a Windows 2008 RADIUS server that manages connections to our Wireless network. It uses certificate based authentication.
Group policy takes care of auto enrolling clients. (My computer account is in an OU where the computer settings are set to auto enroll). For some reason I cannot get the CA to issue me a new certificate.
My machine (Windows 7) had a certificate but when trying to connect to the wifi I could see there was an error that I did not match any policy. I decided to remove the certificate from my machine so I would be issued a new one. This is where it doesn't work. I can see certificates being issued to other clients but it won't for me not matter how many times I log on/off or retstart. There are plenty of other users able to use the wifi with their issued certificates. If I log onto a machine that has just been rebuilt and not logged onto the domain before, the certificate gets issued. I can then export this to my other machine and it works fine.
When the certificate gets issued, should it go to the certificate store of the user account or computer?
Any help/advice to solve this would be greatly appreciated. I will try to answer any questions that may arise.
Thanks
Mark
I'm brand new to experts exchange and am hoping somebody can assist me with the below.
I'm not hugely familiar with CA's, NPS etc but here goes.
We have a Windows 2008 RADIUS server that manages connections to our Wireless network. It uses certificate based authentication.
Group policy takes care of auto enrolling clients. (My computer account is in an OU where the computer settings are set to auto enroll). For some reason I cannot get the CA to issue me a new certificate.
My machine (Windows 7) had a certificate but when trying to connect to the wifi I could see there was an error that I did not match any policy. I decided to remove the certificate from my machine so I would be issued a new one. This is where it doesn't work. I can see certificates being issued to other clients but it won't for me not matter how many times I log on/off or retstart. There are plenty of other users able to use the wifi with their issued certificates. If I log onto a machine that has just been rebuilt and not logged onto the domain before, the certificate gets issued. I can then export this to my other machine and it works fine.
When the certificate gets issued, should it go to the certificate store of the user account or computer?
Any help/advice to solve this would be greatly appreciated. I will try to answer any questions that may arise.
Thanks
Mark
is this user or computer certificate?
Did you also revoke certificate or just delete from local store on computer?
If you just delete it, you need to revoke this on CA-server aswell.
Most likely it is set "Do not reenroll is certificate exist in AD" and if you go to Active Directory Users and Computers - view - Advanced features and look at you user object - you'll see a tab called published certificates. Probably you'll have your cert here.
So:
- revoke
- replicate
- try to reissue (alternatively certutil -pulse and gpupdate /force on computer, or reboot)
Did you also revoke certificate or just delete from local store on computer?
If you just delete it, you need to revoke this on CA-server aswell.
Most likely it is set "Do not reenroll is certificate exist in AD" and if you go to Active Directory Users and Computers - view - Advanced features and look at you user object - you'll see a tab called published certificates. Probably you'll have your cert here.
So:
- revoke
- replicate
- try to reissue (alternatively certutil -pulse and gpupdate /force on computer, or reboot)
ASKER
Hi Jakob,
Thanks for the quick response.
I'm not sure if it's a user or computer certificate - I didn't set this up originally. How would I tell?
I didn't revoke the certs first - I just deleted it from the local store on the machine - from trusted root and intermediate.
Looking at the certificate template settings, the, "Do not automatically reenroll if a duplicate certificate exists in AD" is not checked so it musn't be that.
Looking in AD, there is no certificate listed for me since 11th Feb.
Certutil -pulse gives me an access denied error I'm afraid.
I have just found a temporary workaround. By opening the cert store on the local machine and from the personal cert folder I can request a new certificate manually for the Wireless authentication. If I then copy and paste this into trusted root, I am able to connect to the wireless. Looking at my account in AD, under published certificates, I can now see a certificate for me today.
Like you advised, as a test is it now worth revoking the certs on the CA server, deleting them from the local store on my machine and allowing group policy to auto enrol me with a new one? Should this then create new entries in the cert store?
How do I know if this is setup to be a user or computer cert?
Thanks you for your help so far - it is very much appreciated.
Thanks for the quick response.
I'm not sure if it's a user or computer certificate - I didn't set this up originally. How would I tell?
I didn't revoke the certs first - I just deleted it from the local store on the machine - from trusted root and intermediate.
Looking at the certificate template settings, the, "Do not automatically reenroll if a duplicate certificate exists in AD" is not checked so it musn't be that.
Looking in AD, there is no certificate listed for me since 11th Feb.
Certutil -pulse gives me an access denied error I'm afraid.
I have just found a temporary workaround. By opening the cert store on the local machine and from the personal cert folder I can request a new certificate manually for the Wireless authentication. If I then copy and paste this into trusted root, I am able to connect to the wireless. Looking at my account in AD, under published certificates, I can now see a certificate for me today.
Like you advised, as a test is it now worth revoking the certs on the CA server, deleting them from the local store on my machine and allowing group policy to auto enrol me with a new one? Should this then create new entries in the cert store?
How do I know if this is setup to be a user or computer cert?
Thanks you for your help so far - it is very much appreciated.
ASKER
Update - running a command prompt as admin and then using Certutil -pulse got rid of the access denied error.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Jakob,
I have done the above exactly as you described. I revoked the certs from the CA with the reason of superceeded, removed the certs from my AD account and removed them from the local store under "My User" account"
I have left the certificates in trusted root and intermediate store as I now understand those are present simply from having the CA on the domain.
I have logged back on and the certificate still does not auto enroll. Checking AD there were no published certs for me. Again, I have had to manually request to enroll the certificate. Upon doing so allowed me to connect to wifi.
With regards to the connection policy, it is set to use Microsoft Smart Card - I have attached a screenshot.
Cert.jpg
I have done the above exactly as you described. I revoked the certs from the CA with the reason of superceeded, removed the certs from my AD account and removed them from the local store under "My User" account"
I have left the certificates in trusted root and intermediate store as I now understand those are present simply from having the CA on the domain.
I have logged back on and the certificate still does not auto enroll. Checking AD there were no published certs for me. Again, I have had to manually request to enroll the certificate. Upon doing so allowed me to connect to wifi.
With regards to the connection policy, it is set to use Microsoft Smart Card - I have attached a screenshot.
Cert.jpg
OK
the autoenrollment can be sketchy business if you first have failed in an enrollment. Try GUPDATE /FORCE
regarding your Network Policy - please uncheck the Mschap and mschap v2 option, as they will allow users to connect using username and password in domain, without certificate, and without setting up an encrpted tunnel
the autoenrollment can be sketchy business if you first have failed in an enrollment. Try GUPDATE /FORCE
regarding your Network Policy - please uncheck the Mschap and mschap v2 option, as they will allow users to connect using username and password in domain, without certificate, and without setting up an encrpted tunnel
ASKER
I will give that a try throughout the course of the day.
It's strange because I did get auto enrolled originally and the system does actually work for everybody else - until I delete the cert and try to let it auto enroll again.
I will come back with the results.
Thanks
It's strange because I did get auto enrolled originally and the system does actually work for everybody else - until I delete the cert and try to let it auto enroll again.
I will come back with the results.
Thanks
ASKER
Hi Jakob,
I've been doing some more digging and it looks like this could actually be a group policy issue where my computer account is sitting. This GPO is set to auto enroll (computer config settings) to enabled but it looks like this GPO is not applying when I do a gpresult -R. It's the same for each computer that is in that OU actually.
I'm trying to look at why the GPO is not applying but I haven't found anything yet. I'm going to create a new test GPO and see what that does.
I've been doing some more digging and it looks like this could actually be a group policy issue where my computer account is sitting. This GPO is set to auto enroll (computer config settings) to enabled but it looks like this GPO is not applying when I do a gpresult -R. It's the same for each computer that is in that OU actually.
I'm trying to look at why the GPO is not applying but I haven't found anything yet. I'm going to create a new test GPO and see what that does.
as a best practice - you should set autoenroll settings in Default Domain policy and (important) instead restrict autoenrollment on Certificate Templates to groups.
Example: if you set default domain policy to allow automatic certificate enrollment, but only the group grpUserCerts have the permission set to autoenroll, only members of that group would get the certificate.
You limit restrictions to autoenrollment on certificates on certificate templates MMC (certtmpl.msc from RUN).
Also - remove all certificate templates you're not enrolling - they will only be removed from CA and can be EASILY imported back..
ALSO - I'd recommend turning on credentials roaming on user certificate enrollment policy. With this the users will only get one certificate, and this will be loaded from User Object in AD to the user profile on all domain joined (!) devices the users logs on to. A must have if certs are used for encryption or secured email
Example: if you set default domain policy to allow automatic certificate enrollment, but only the group grpUserCerts have the permission set to autoenroll, only members of that group would get the certificate.
You limit restrictions to autoenrollment on certificates on certificate templates MMC (certtmpl.msc from RUN).
Also - remove all certificate templates you're not enrolling - they will only be removed from CA and can be EASILY imported back..
ALSO - I'd recommend turning on credentials roaming on user certificate enrollment policy. With this the users will only get one certificate, and this will be loaded from User Object in AD to the user profile on all domain joined (!) devices the users logs on to. A must have if certs are used for encryption or secured email
ASKER
Network Policy Server denied access to a user
and then;
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Obviously this is due to the fact I am not getting a certificate.
Thanks