PKI cross domain certification

I'm trying to build a DirectAccess PoC and seem to be stumbling at what should be a very simple stage, requesting a Machine certificate.  I have two forests, one trusted and one perimeter with an established two way trust.  My PKI is part of the trusted forest, and my DA server is a member of the perimeter forest .  My PKI is 2012r2, one Root, two subordinates.  I have deployed CES and CEP on two (trusted forest) member servers using integrated Kerberos authentication, have the SPNs, delegation of the service accounts, and published the URI for CEP in a GPO in the perimeter forest.  I have two problems as a result.  

1) My DA server times out when requesting a certificate.  Looking at the firewall logs, after querying my CEP server (over SSL) in the Perimeter Network, it starts spewing out unencrypted LDAP requests to the DCs within the trusted forest.

2) My Perimeter RWDCs have no firewall in the way, and can query the PKI via CEP.  However, get the "You cannot request a certificate at this time because no certificate types are available" message.  However, selecting Show all templates, I do seem to have a user Certificate published, although it's obviously not available.  I have amended the computer template to permit read and enrol to the perimeter forest Domain controllers and domain members, and they are resolvable via DNS.

I've been bashing my head against a wall for three days with this, so I any glimmer of hope would be gratefully received.  Thanks
Mark LoganAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you can not select a certificate even you see it showing all templates, then the cert template it out of your scope. The permissions on the cert template has usually allow the computer to enroll as well as the user needs read, enroll permission. For user certs only the user needs permissions, for computer certs both need the permission.
What is CES and CEP servers?

make sure that Subordinate CA and root CA certificates are installed under trusted cert zone on client computers, otherwise clients will not recognize CA server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark LoganAuthor Commented:
Thanks Bembi, the template permissions were fine.  With regards the issues with the RWDC being presented with the certificate.  I found that if I disabled "Require strong validation during enrollment" within the enrollment policy of the GPO I was presented with the certificate, which made me realise that I had forgotten to publish the trusted certificate chain within the Domain Controller GPO  (I'd only published it previously for Member servers)  However, I now get a timeout during enrolment, which seems to be a problem between my sub-CA and my CES server.  Onwards and upward
Mark LoganAuthor Commented:
Cheers Mahesh, spot on with the Certificate Chain, I thought that I had published it across the domain, but it turned out the DCs were lacking it.  CES & CEP are Certificate Enrollment Web Services.  They are features of the Certificate Authority Role
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.