Troubleshooting Autoenrollment
This is a blog entry that I worked on for the ASKDS blog a couple years back. Since it was never posted there I am posting it here. I am going to cover troubleshooting autoenrollment. I will first cover how Autoenrollment work in Windows XP and Windows Vista. I will then cover a defined step by step process for troubleshooting Autoenrollment.
Autoenrollment requires that the client be Windows XP or greater. It also requires that the clients be joined to a Domain. Autoenrollment also requires a certification authority that meets the following requirements: OS Windows 2003 or greater, Enterprise Edition of the OS, and the CA must be installed as an Enterprise CA. Autoenrollment is controlled through Group Policy.
Autoenrollment allows users and computers to automatically enroll for certificates, in most cases without interaction of the user. Autoenrollment also allows certificates to be automatically renewed and updated.
How Autoenrollment Works
How Autoenrollment works in Windows XP and Windows 2003:
The autoenrollment process is normally triggered by the Winlogon process, and is designed to be activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. By default, the Group Policy is applied at reboot for machines, or at logon for users, and is refreshed every eight hours. The refresh interval can be configured using Group Policy. Autoenrollment is also triggered by an internal timer that activates every eight hours after the last time autoenrollment was activated.
https://msdn.microsoft.com/en-us/library/bb643324.aspx
How Autoenrollment works in Windows Vista and 2008:
Autoenrollment in Windows Vista and 2008 is performed by the Certificate Services Client. Autoenrollment is triggered by built in tasks in Windows Vista and Windows 2008. The machine autoenrollment is triggered at System Startup and every 8 hours. Computer Autoenrollment is triggered by Log on and occurs every 8 hours. You can view the autoenrollment tasks, by opening the Task Scheduler, expanding Microsoft, expanding Windows, and clicking on the CertificateServicesClient. There is a SystemTask that is associated with Machine Enrollment and a UserTask associated with user enrollment.
Manually Triggering autoenrollment
You can manually trigger autoenrollment for the machine by using the certutil –pulse command. You can also trigger autoenrollment for the machine and user by using the gpupdate /force command.
Group Policy
The first step in troubleshooting AutoEnrollment is to verify that autoenrollment is configured properly. Autoenrollment is configured through Group Policy. There is one GPO setting that configures Autoenrollment for the machine and one that configures autoenrollment for the user.
The Machine Group Policy on Windows 2008 Server is located at Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Service Client – Auto-Enrollment
The Machine Group Policy on Windows 2003 Server is Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings
The User Group Policy on Windows 2008 Server is User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client – Auto-Enrollment
The User Group Policy on Windows 2003 Server is User Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings
The Windows 2003 Group Policy Setting contains the following Configuration Options:
Do not enroll certificates automatically: If this setting is configured Autoenrollment is disabled.
Enroll Certificates Automatically: This setting has two additional options, if this is selected Autoenrollment is enabled.
The first additional option is Renew expired certificates, update pending certificates, and remove revoked certificates: This option is fairly straight forward. If this checkbox is selected an a certificate is expired, the certificate services client will autoenroll for a new certificate based on the same certificate template. If a certificate request was put in a pending state and then approved by the Certificate Manager than autoenrollment will install the certificate once it is available. Certificates that are revoked will be removed.
The second option is Update certificates that use certificate templates: If you configure a certificate template to supercede another template, the certificate services client will autoenroll for the template that supercedes the template that an existing certificate is based on.
The Windows 2008 Group Policy setting looks slightly different that the setting in Windows Server 2003. The Group Policy Setting can be set to either Not Configured, Enabled, or Disabled. If the setting is Enabled, you have the following options. Two of which are exactly the same as the Windows 2003 options.
The first additional option is Renew expired certificates, update pending certificates, and remove revoked certificates
The second option is Update certificates that use certificate templates
The third option is Expiration notification. This option is only available for the User Group Policy setting not the machine group policy setting. Expiry notification will notify users of a pending certificate expiration. The expiration notification can be configured with the percentage of remaining certificate lifetime.
Troubleshooting Autoenrollment Group Policy
The first step is to determine if the Group Policy that contains the Autoenrollment configuration is applying to the machine or user.
This can be accomplished by running RSOP.MSC on the affected machine and seeing if the autoenrollment setting is applied. If for some reason the autoenrollment settings is not applied you should use the GPMC and Group Policy Results Wizard to determine why the GPO is not applying. The most common issue is that the Group Policy setting that is has the autoenrollment setting configured is not within the scope of the user or machine.
If you determine the GPO is applying to the machine, the next step is to verify that the Client Side Extensions are setting the registry keys associated with autoenrollment.
The Autoenrollment policy for the machine is configured at HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy
The Autoenrollment policy for the user is configured at HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy
Below is a table that shows the value for the AEPolicy registry key and the associated group policy settings.
Hex Value |
Setting Configuration |
0x00000000 |
Autoenrollment Enabled |
0x00000001 |
Autoenrollment Enabled, Update Certificates that user certificates templates configured |
0x00000006 |
Enabled, Renew expired certificates, update pending certificates, and remove revoked certificates configured |
0x00000007 |
Enabled, Update Certificates that user certificates templates configured, Renew expired certificates, update pending certificates, and remove revoked certificates configured |
0x00008000 |
Disabled |
Typically when using autoenrollment it is best practice to have Autoenrollment enabled with all of the options which would result in a value of 0x00000007 on the AEPolicy registry key.
In addition to the AEPolicy key, there is also an OfflineExpirationPercent key that is associated with the Expiry Notification group policy setting. If Expiry Notification is configured, the OfflineExpirationPercent will exist under HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment\, and the decimal value will be equal to the percentage number in the Group Policy setting.
Certificate Templates
Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
OS Version and Edition |
Supports Version 2 Templates |
Supports Version 3 Templates |
Windows 2008 R2 Standard Edition |
YES |
YES |
Windows 2008 R2 Enterprise & Datacenter Edition |
YES |
YES |
Windows 2008 Standard Edition |
NO |
NO |
Windows 2008 Enterprise & Datacenter Edition |
YES |
YES |
Windows 2003 Standard Edition |
NO |
NO |
Windows 2003 Enterprise & Datacenter Edition |
YES |
NO |
Aside from the Version of the Certificate Templates there are two other requirements that need to be configured properly in order for autoenrollment to work. To modify the permission on a security template, open up the Certificate Template Management Console (Certtmpl.msc). Then double-click on the desired security template and select the Security tab. From the Security tab you can add or modify permissions on the security template. Ensure that Allow for Read, Enroll, and Autoenroll permissions are selected for the appropriate user, computer, or security group.
The first is that the principal requesting the certificate must have Read, Enroll, and AutoEnroll permissions on the certificate template on which the certificate request is based on.
The second is that the security template must be configured to build the subject/subject alternate name from Active Directory information. This can be configured on the Subject Name Tab of the certificate template, by selecting Build from this Active Directory information and configuring from what properties you would like the Subject/Subject Alternative name to be built.
Sections that need to be added
Logging
To aid in troubleshooting of Autoenrollment verbose logging for autoenrollment can be enabled by adding a registry key. To enable verbose logging for Machine autoenrollment add the registry create a REG_DWORD named AEEventLogLevel, with a value of 0 in the HKLM\Software\Microsoft\Crryptography\Autoenrollment registry key. To enable verbose logging for User autoenrollment create a REG_DWORD named AEEventLogLevel, with a value of O in the HKCU\Software\Microsoft\Crryptography\Autoenrollment registry key.
For a description of the additional events that are logged when verbose logging is enabled, please see: https://technet.microsoft.com/en-us/library/bb456981.aspx
Troubleshooting the Enrollment Process
If everything looks good from a Group Policy Standpoint, the next step would be to troubleshoot enrollment. The easiest way to so this is to give a user or machine that autoenrollment is failing for, enroll permission the affected template.
Once the user or machine has been granted enroll permission on the template, you will want to either wait until that change is replicated or force replication. Remember, when you make changes to certificate templates you are modifying the Certificate Template objects in the Configuration container of AD. Those changes must replicate to the Domain Controller that the user or machine is going to user for updating its template cache.
Now that the user or machine that is having issues has enroll permissions for the affected certificate template, you can now attempt to manually request a certificate from the CA and see if this works or fails. If you have a Windows Server 2008, Windows Vista, or Windows 7 machine that is experiencing the issue the best bet would be to troubleshoot with those machines, because more information is available during the enrollment process for those operating systems.
Windows XP and Windows Server 2003
To manually enroll for a certificate for the user open up the Certificate Manage Console (Certmgr.msc).
Select the Personal container. Then right click on the Personal container, select All Tasks, and then Request New Certificate… from the context menu.
Once the Certificate Request Wizard opens click Next.
Select the Certificate Template you are testing with, and then click Next.
Enter a friendly name and click Next.
Then click Finish.
Windows Vista, Windows 7, Windows 2008, Windows 2008 R2
To manually enroll for a certificate for the user open up the Certificate Manage Console (Certmgr.msc).
Select the Personal container. Then right click on the Personal container, select All Tasks, and then Request New Certificate… from the context menu.
Once the Certificate Enrollment Wizardopens click Next.
Select the Certificate Template you are testing with, and then click Enroll.
If you run into any issues with manually enrolling, you can use the How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in blog posting to help determine the cause.
Conclusion
In this blog posting I covered troubleshooting autoenrollment. Troubleshooting is pretty straight forward. Make sure the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group Policy is configured correctly, the next step is to troubleshoot enrollment.