Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, January 23, 2017 1:36 PM
We are less than 30 days away from the expiration of machine certificates on our network and they stubbornly refuse to renew themselves. We have a root ca and two subordinate CA's. New is that one of the subordinates is win 2012R2 the other is 2008R2. a year ago we moved to autoenrollment using GPO.
Checked:
- The certificate template security has Read, Enroll and Autoenroll for Domain computers (authenticated readers have just Read). Renewal period is set to 6 weeks. Cert template is published in AD.
- The GPO for "Certificate Services Client - Auto Enrollment" is enabled and set for renew.
- I don't seem to get any error messages on the log. After a reboot, I get "Certificate enrollment for Local system successfully load policy from policy server" amoung other informational messages.
- I can manually renew (certmgr - renew certificate with new key)
What am I missing?
James.
All replies (10)
Tuesday, January 24, 2017 5:54 AM
Hi,
Since you have checked permissions, GPO configurations,and also could manually renew,I will suggest you to check autoenrollment task.
You can view the autoenrollment tasks, by opening the Task Scheduler, expanding Microsoft, expanding Windows, and clicking on the CertificateServicesClient. There is a SystemTask that is associated with Machine Enrollment and a UserTask associated with user enrollment.
Please check the trigger and conditions,You can manually trigger autoenrollment for the machine by using the certutil –pulse command. You can also trigger autoenrollment for the machine and user
by using the gpupdate /force command.
Also check this for your reference:
REF:Troubleshooting Autoenrollment
https://blogs.technet.microsoft.com/xdot509/2012/10/18/troubleshooting-autoenrollment/
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, January 24, 2017 7:22 AM
Have a look on this :
https://itworldjd.wordpress.com/2013/12/09/troubleshooting-certificate-autoenrollment-issues/
Monday, January 30, 2017 8:46 AM
Hi,
Any updates?Does problem has been resolved? If there's anything you'd like to know, don't hesitate to ask.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, February 2, 2017 9:02 AM
We are still working on it. It is not solved yet.
James.
Thursday, February 2, 2017 8:49 PM
A few machines on the network have renewed, but most of them not. I can not find a common denominator.
I have all computers in the domain computers AD group and this has Read, Enroll and AutoEnroll rights on the certificate template.
If I open certmgr on a sample machine that hasn't renewed, and go to "Automatically Enroll and Retrieve certificates" then after some time I get "Certificate types are not available". I can ping all the CA's. If I go to RSOP I can see that the "Certificate services client - Autoenrollment" object is enabled and it is set to "Renew expired certificates...". The event viewer says the GPO is being applied.
If I do the same on a machine that has a renewed certificate, it says "Certificate Enrollment is not Enabled"
James.
Friday, February 3, 2017 8:40 AM
Hi,
It seems GPO and enrollment process were all fine.
Please enable the autoenrollment logging for more information.Autoenrollment verbose logging for autoenrollment can be enabled by adding a registry key. To enable verbose logging for Machine autoenrollment add the registry create a REG_DWORD named AEEventLogLevel, with a value of 0 in the HKLM\Software\Microsoft\Crryptography\Autoenrollment registry key. To enable verbose logging for User autoenrollment create a REG_DWORD named AEEventLogLevel, with a value of O in the HKCU\Software\Microsoft\Crryptography\Autoenrollment registry key.
For a description of the additional events that are logged when verbose logging is enabled, please see: http://technet.microsoft.com/en-us/library/bb456981.aspx
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Friday, February 3, 2017 1:25 PM
Hi Cartman,
Seems that I do not have a key at HKCU\Software\Microsoft\Cryptography for Autoenrollment.
Under this path I have CertificateTemplateCache and NGC only.
The HKLM key is there ok.
James.
Tuesday, February 7, 2017 2:56 AM
Hi Cartman,
Seems that I do not have a key at HKCU\Software\Microsoft\Cryptography for Autoenrollment.
Under this path I have CertificateTemplateCache and NGC only.
The HKLM key is there ok.
James.
Hi,
Sorry,it should be here: HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, February 13, 2017 10:39 AM
Over a period of days our machines started to renew their certificates. We have no idea why it now works and previously it did not. It is several weeks since any changes were made to the AD configuration.
James.
Tuesday, February 14, 2017 5:35 AM
Hi,
All right.If you have anyother questions,please feel free to ask here.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]