Custom smartcard logon template not available in web enrollment pages

Discussion in 'Server Security' started by Han Valk, Aug 20, 2008.

  1. Han Valk

    Han Valk Guest

    I've created a custom smartcard logon template based on the
    recommendations in Brians book.
    When I log on as a Enrollment Agent and navigate to the smartcard web
    enrollment site I cannot select the custom template, which btw is
    available on the CA.
    When I make the default smartcard logon template available it is
    Even when I simply duplicate the default template, give it another
    name and add the default smartcard templates to the superseeded list
    and make it available its not showing up.

    Han Valk, Aug 20, 2008
    1. Advertisements

  2. One of two possibilities:
    1) Is the CA running on Enterprise Edition. V2 certificate templates are
    only available on the Enterprise Edition or Datacenter Edition skews
    2) On the Issuance Requirements tab, did you require one authorized
    signature where the application policy includes the Certificate Request
    Agent oid. This is required to show up in the list of smart cards
    3) Does the requesting user (the enrollment agent) have Read and Enroll
    permissions ont he custom template.

    Brian Komar \(MVP\), Aug 20, 2008
    1. Advertisements

  3. Han Valk

    Han Valk Guest

    He Brian,

    It's solved. Found a kb that says that CA certificate manager approval
    is not alowed in this case.
    Han Valk, Aug 20, 2008
  4. Han Valk

    Dan D Guest


    I checked all three options you suggested.

    My question is why one of the template (Email-CAC-2003) appears in the Certificate template drop-down (web interface) and not the other (Email-CAC-2008).

    Do I need to have #2 (Issuance Requirements) configured in order to see it in the enrollment page drop-down?

    Here is what my current set up:
    Root CA - Windows 2008 Enterprise edition- online
    Sub CA - Windows 2008 Enterprise Edition - online

    Two Customized templates from default smartcard logon template:
    Email-CAC-2003: Created with 2003 properties
    Email-CAC-2008: Created with 2008 properties

    Extensions for both templates:
    Application Policy: Secure Email, Smart Card Logon, Client authentication
    Key Usage: Digital Signature, Signature is proof of origin.
    Issuance Policy: Medium Assurance.

    Dan D, Jan 13, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.