This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I've reached the conclusion that Server 2008 doesn't support auto-enrol of certificates for NPS using PKI infrastructure. We receive this error: The requested certificate template is not supported by this CA.
I realise my options are and should be to upgrade this server to something close to a recent OS but since I've inherited this infrastructure and the plan is to replace it in the next few months, I want to get NPS up and running for wireless authentication for domain computers urgently.
Can someone answer whether using a certificate from an authority such as GoDaddy or VeriSign would make this work? Or is it a case that auto-enrol just won't work at all on Server 2008 and it isn't just PKI?
If an external CA will work, can anyone direct me to some decent documentation for getting this up and running?
Thanks,
Chris
Hello,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
If the reply is helpful, we would appreciate you to accept it as answer.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello,
Thank you so much for posting here.
So sorry that we do not have Server 2008 in my test environment, so we could not do the test. Since we configured the auto-enrollment, could other server get the certificate?
As for the error: The requested certificate template is not supported by this CA, we could refer to the below article to check whether it helps.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template
Besides, we are not professional with the external CA, so sorry that we could not provided any information. It is suggested that we could contact the external CA to get more professional assistance.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
We receive this error: The requested certificate template is not supported by this CA.
this error indicates that there is no CA in forest that has requested template assigned. You have to go to CA, navigate Certificate Templates node and add requested template for issuance.
As of Windows Server 2008: only Enterprise and Datacenter editions support V2 and newer templates. For Standard edition, you can use Automatic Certificate Request GPO option that allows computer certificate autoenrollment using V1 templates.
Hi both,
Thanks for your replies.
@Hannah Xiong - I have come across numerous articles and posts referencing these permissions and the template has Authenticated Users with Read access so I've ruled this out as the issue.
@Vadims Podāns - I'll investigate the GPO option you suggest and see how I get on. The template is already added for issuance but I believe the error is being returned because it can only use the V1 template which doesn't allow auto-enrollment (by my understanding).
Thanks
@Vadims Podāns - I've actually already configured the auto-enrol via GPO so this doesn't work either, returning that error in the Failed Requests section of AD CS.
And just to add further to this, the certificate that I've issued is shown below along with the certificate name in the error message:
Hello Chris,
Thank you so much for your kindly reply.
As for the error message, "The problem is caused because no certificate template was selected or inside the GUI the friendly template name rather the short name (which didnt include spaces) was used.
Solution: Create a new certificate request via the Lync deployment GUI using the correct short template name and re-submit that to the Microsoft CA."
Also please make sure the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder).
Below is the discussion about this issue, we could kindly have a check whether it helps.
https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
At the same time, I would like to share with you some documents about Certificates Used with NPS. Hope they could be helpful.
Manage Certificates Used with NPS
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates
Configure Certificate Templates for PEAP and EAP Requirements
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Hannah,
I have come across those articles as well and deleted the original certificate template then recreated it with no spaces, then issued that certificate template which is now failing. Screenshot below showing no spaces:
I have also reviewed the MS documentation you sent and confirmed everything is as MS say it should be. I've searched Google extensively to find a solution so fairly confident I've read most hits that match the error we've got and the only conclusion I reached was where someone said this would not work on Server 2008 Standard edition - autoenroll for V2 or V3 templates does not work:
Windows Server 2008 standard edition can only issue certificates based on Version 1 certificate templates. To use autoenrollment, you need to issue V2 or V3 certificate templates. This is blocked by the OS>
You must do one of the following:
1) Upgrade the server to Windows Server 2008 Enterprise or Data Center
2) Upgrade the server to Windows Server 2008 R2 Standard, Enterprise, or Data Center
3) Upgrade the server to Windows Server 2012 Standard or Data Center
This is exactly what I said -- no autoenrollment for 2008 Standard edition. And I would discourage the use of non-supported OS.