How to Force a DC to Attempt Certificate Autoenrollment

After installing a new Microsoft Certificate Server, the Event Logs on the Server 2003 domain controllers displayed an Autoenrollment error, Event ID 13 (Access is Denied) while on the 2008 domain controllers, an Event ID 13 error with the Source CertificateServicesClient-Request….or something close.

The fix for the Autoenrollment problem was the following found on an MS Support Forum:

The event 13 from Autoenrollment message may be related to the new DCOM security enhancement of Windows Server 2003 SP1. Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol. Certificate Services provides several DCOM interfaces to make these services available. For correct access and usage of these services, Certificate Services assumes that its DCOM interfaces are set to allow remote activation and access permissions.

However, Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers. Therefore, because of the enhanced default security settings for DCOM that are introduced by SP1, you may have to update these security settings to make sure of the continued availability of these services after you install SP1.

Suggestions:

1. Please check to ensure that a new security group, CERTSVC_DCOM_ACCESS, has been created after applied the SP1.
2. Please add the “Domain Users”, “Domain Computers”, “Domain Controllers” groups to the new CERTSVC_DCOM_ACCESS security group.
3. Then, we can have Certificate Services update the DCOM security settings by running the following commands:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc.

Thinking I had my problem fixed, I wanted the DCs to attempt an autoenrollment once again, however, in my impatience, I didn’t want to wait for this to happen.

Performing the steps listed below (they worked for 2003 and 2008) forced a certificate autoenrollment on the DCs:

1.    Backup/Export the registry key:             
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

2.    Delete the AEDirectoryCache registry key

3.    From the Command line, execute GPUPDATE /FORCE

Shortly thereafter, I reviewed the Event Logs on the DCs and they stated certificate autoenrollment was successful at which point I opened the Certificate Authority MMC on the CA and saw that certificates had indeed been issued.

2 Comments

Filed under Certificates, Windows Server

2 responses to “How to Force a DC to Attempt Certificate Autoenrollment

  1. Anonymous

    running “certutil.exe -pulse” from a 2008 DC triggers Autoenrollemnt too.

  2. (You are the second Dave Ball I've known).
    According to the MS article here: http://support.microsoft.com/kb/903220
    the Everyone Group was added to the CERT_SVC_ACCESS group by default. This is what we found when we came looking. Did you not have that in your group?

    What we also found was that the Domain Controllers did not have enroll rights to the DC cert template. We gave them that right and ran the certutil -pulse command to force enrollment. They seem to be enrolling now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s