User Certificate Auto Enrollment fails when certificate is to be stored in AD

I am working on auto-enrollment of PKI certificates. I got everything working but when I auto-enroll the user certificate, the certificate is not auto-enrolled when this checkbox is enabled. If I uncheck it on the template, the user gets a new certificate. I'm assuming there's a certificate somewhere in AD I might have to clear out? Any help would be appreciated.

Template Properties
LVL 1
jbla9028Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbla9028Author Commented:
Thanks. In the article I see this:

"Note: If the CA administrator configured the templates to not duplicate certificates if one already exists in Active Directory, you will have to delete the user’s certificate in Active Directory in order for Autoenrollment to pull down a new certificate."


How do I delete the user's certificate? where does it get stored? I figured under "user mappings" but I don't see anything there.
Rahul RamachandranCommented:
For deleting DC certificates follow the below steps

1) While logged on as a member of the local Administrators group, start the Microsoft Management console.

2) Add the Certificates MMC Snap-In.

3) Select Computer Account when prompted to select an account to manage.

In the Certificates MMC Snap-In, navigate to Personal in the left pane.

4) In the right pane, determine the domain controller certificate(s) by the template name as shown in the Certificate Templates column or select the certificate(s) by their intended purpose.

5) Delete the certificate(s) by selecting Delete on the Action menu.

6) Close the MMC Snap-In and log off.


User Certificates are stored in the below location (Local).

in Run type certmgr.msc
under personal - certificates
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.