User Certificate Auto Enrollment fails when certificate is to be stored in AD

jbla9028 used Ask the Experts™
I am working on auto-enrollment of PKI certificates. I got everything working but when I auto-enroll the user certificate, the certificate is not auto-enrolled when this checkbox is enabled. If I uncheck it on the template, the user gets a new certificate. I'm assuming there's a certificate somewhere in AD I might have to clear out? Any help would be appreciated.

Template Properties
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Active Directory/Exchange Engineer
Top Expert 2015


Thanks. In the article I see this:

"Note: If the CA administrator configured the templates to not duplicate certificates if one already exists in Active Directory, you will have to delete the user’s certificate in Active Directory in order for Autoenrollment to pull down a new certificate."

How do I delete the user's certificate? where does it get stored? I figured under "user mappings" but I don't see anything there.
For deleting DC certificates follow the below steps

1) While logged on as a member of the local Administrators group, start the Microsoft Management console.

2) Add the Certificates MMC Snap-In.

3) Select Computer Account when prompted to select an account to manage.

In the Certificates MMC Snap-In, navigate to Personal in the left pane.

4) In the right pane, determine the domain controller certificate(s) by the template name as shown in the Certificate Templates column or select the certificate(s) by their intended purpose.

5) Delete the certificate(s) by selecting Delete on the Action menu.

6) Close the MMC Snap-In and log off.

User Certificates are stored in the below location (Local).

in Run type certmgr.msc
under personal - certificates

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial