Previously, we did a successful trial on cross-forest cert enrollment with 2-way forest trust enabled. The user objects are on Account Forest and the PKI / CA servers are on the Resource Forest. I created a new cert template, issued it on the enterprise CA and sync the new cert template to the account forest using PKIsync.ps1 script. But the users were unable to enroll the new cert even though I've ensured the necessary permissions have been granted. I tried a manual enrollment and saw the following error message:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located...
The new cert template in this case would be "TestingDoNoEnroll". Look like the enrollment clients could not find the issuing CA. On a domain controller of account forest, I did a check on the "AD Sites and Services" console with "View / Show Services Node" enabled. Expand on "Services / Public Key Services / Enrollment Services" and I check on the object of issuing CA on resource forest.
Double click on the object and select "Attribute Editor / certificateTemplates". The new template was missing - no wonder that the CA for the new issuing cert template could not be found. I added the new cert template name and enrollment worked as expected!


 
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete
ReplyDeleteGood write-up. I definitely love this site. Keep it up
http://prokr123.webstarts.com/
http://prokr114.bravesites.com/
https://rehabgad22.doodlekit.com/blog
http://a4des.net/
https://www.prokr.net/ksa/jeddah-water-leaks-detection-isolate-companies/
This was very helpful. I just moved my CA to a new server and 90% of the templates were showing that error. Do you know why those certificates would be missing? Presumably they were there before I moved the CA because I've issed certs based on those templates in the past.
ReplyDelete