I'm trying to build a DirectAccess PoC and seem to be stumbling at what should be a very simple stage, requesting a Machine certificate. I have two forests, one trusted and one perimeter with an established two way trust. My PKI is part of the trusted forest, and my DA server is a member of the perimeter forest . My PKI is 2012r2, one Root, two subordinates. I have deployed CES and CEP on two (trusted forest) member servers using integrated Kerberos authentication, have the SPNs, delegation of the service accounts, and published the URI for CEP in a GPO in the perimeter forest. I have two problems as a result.
1) My DA server times out when requesting a certificate. Looking at the firewall logs, after querying my CEP server (over SSL) in the Perimeter Network, it starts spewing out unencrypted LDAP requests to the DCs within the trusted forest.
2) My Perimeter RWDCs have no firewall in the way, and can query the PKI via CEP. However, get the "You cannot request a certificate at this time because no certificate types are available" message. However, selecting Show all templates, I do seem to have a user Certificate published, although it's obviously not available. I have amended the computer template to permit read and enrol to the perimeter forest Domain controllers and domain members, and they are resolvable via DNS.
I've been bashing my head against a wall for three days with this, so I any glimmer of hope would be gratefully received. Thanks