Re: Win2k3 Enterprise CA autoenrollment doesn't work

In news:,
hudbrog <>, posted the following:
> Hi. Thanks for reply. Yes, autoenrollment is enabled in gpo both for
> computer and user(in custom object, not for default). Gpresult shows
> that object is applied.

Can you elaborate on the exact steps you took to create the cert and
implement autoenrollment?
Is it a version 2.0 template?
Did you create a group, placed the users or computers in the group, and add
it to the V2 cert you created?

Take a look at this.
Implementing and Administering Certificate Templates in Windows Server 2003
http://technet.microsoft.com/en-us/l.../cc783016.aspx



Curious, because this was a specific certificate related questions, I
cross-posted my previous reply for your benefit, to get the expert's
opinions at that group. When you replied, I saw that the cross-post followup
had been removed. Also curious, does Techarena remove cross-posting ability?

It may be beneficial to you to use a newsreader, such as Outlook Express or
in Vista, Windows Mail, to directly access Microsoft's free public
newsgroups. Just setup a newgroup account in the newsreader and point to
news.microsoft.com (no password required), and add the relevant groups you
would like to post your question in.

I cross posted this to the following two groups with replies set to all of
them:
microsoft.public.security.crypto
microsoft.public.windows.server.active_directory
microsoft.public.windows.server.security

Ace

In news:,
hudbrog <>, posted the following:
> Hello.
> Ok, so what I did step-by-step.
> Open Certificate Templates snap-in.
> Create a copy of "User Signature Only", rename it.

I don't have a cert server in front of me. I was hoping the folks in the
other group would respond. Going on memory...

It might be due to the cert itself.

How did you create a copy of the cert? Did you right-click, choose
"Duplicate Template?"
I assume that was a Version 2 Certificate Template that you copied?

> Modify properties, for Domain Users and Authenticated Users I allow
> Read, Enroll, Autoenroll. Set no user interaction(tried with it too),
> subject name based on AD.
> Go to CA snap-in, from all-tasks select new template for issuing.
> Then go to AD snap-in, create a GPO object for a specific security
> group(as far as i understand, doesn't really matter because I gave
> permissions to DOmain Users and all users are in it), allow
> autoenrollement both for computer and user.

It was user based, so the computer portion wouldn't matter.

Something is missing. Let me think it over.

> That was petty much it.
>
> Sory, NNTP port is closed, so no news groups for me.

I can understand that. Does the web based access provide the ability to copy
and paste the groups?

Ace