You can run certutil.exe –Template when logged in as the end-user to see if the end-user has Read and Enroll permissions (but it will not reveal which certs the user has Autoenroll permissions to) User or computer has Read, Enroll, and Autoenroll permissions on the certificate template being requested. You can verify this by using Active Directory Users and Computers (dsa.msc) and looking the Users folder for the membership of Cert Publishers.Įnsure the group policy objects have Autoenrollment enabled, see Configuring Group Policy for more information. Issuing CA’s computer account is in Cert Publishers group for the domain. Personal store in the Certificates console - certmgr.msc). The article assumes that certificates that a user or machine should be receiving automatically fromĪn issuing CA server on the network are not showing up in the end-users’s certificate store (i.e. The basis for this article was produced by a veteran field troubleshooting engineer, Roger Grimes. These are the steps to troubleshoot autoenrollment problems.
0 Comments
Leave a Reply. |