Server 2008 NPS certificates - alternative to PKI auto-enrol

Chris Butler-Howard 1 Reputation point
2020-12-22T02:13:51.427+00:00

I've reached the conclusion that Server 2008 doesn't support auto-enrol of certificates for NPS using PKI infrastructure. We receive this error: The requested certificate template is not supported by this CA.

I realise my options are and should be to upgrade this server to something close to a recent OS but since I've inherited this infrastructure and the plan is to replace it in the next few months, I want to get NPS up and running for wireless authentication for domain computers urgently.

Can someone answer whether using a certificate from an authority such as GoDaddy or VeriSign would make this work? Or is it a case that auto-enrol just won't work at all on Server 2008 and it isn't just PKI?

If an external CA will work, can anyone direct me to some decent documentation for getting this up and running?

Thanks,

Chris

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,614 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
489 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Hannah Xiong 6,196 Reputation points
    2020-12-22T05:51:42.887+00:00

    Hello,

    Thank you so much for posting here.

    So sorry that we do not have Server 2008 in my test environment, so we could not do the test. Since we configured the auto-enrollment, could other server get the certificate?

    As for the error: The requested certificate template is not supported by this CA, we could refer to the below article to check whether it helps.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template

    Besides, we are not professional with the external CA, so sorry that we could not provided any information. It is suggested that we could contact the external CA to get more professional assistance.

    Thank you so much for your understanding and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Vadims Podāns 8,811 Reputation points MVP
    2020-12-22T06:54:02.273+00:00

    We receive this error: The requested certificate template is not supported by this CA.

    this error indicates that there is no CA in forest that has requested template assigned. You have to go to CA, navigate Certificate Templates node and add requested template for issuance.

    As of Windows Server 2008: only Enterprise and Datacenter editions support V2 and newer templates. For Standard edition, you can use Automatic Certificate Request GPO option that allows computer certificate autoenrollment using V1 templates.

    0 comments No comments

  3. Chris Butler-Howard 1 Reputation point
    2020-12-22T20:22:17.623+00:00

    Hi both,

    Thanks for your replies.

    @Hannah Xiong - I have come across numerous articles and posts referencing these permissions and the template has Authenticated Users with Read access so I've ruled this out as the issue.

    @Vadims Podāns - I'll investigate the GPO option you suggest and see how I get on. The template is already added for issuance but I believe the error is being returned because it can only use the V1 template which doesn't allow auto-enrollment (by my understanding).

    Thanks


  4. Hannah Xiong 6,196 Reputation points
    2020-12-23T02:29:09.367+00:00

    Hello Chris,

    Thank you so much for your kindly reply.

    As for the error message, "The problem is caused because no certificate template was selected or inside the GUI the friendly template name rather the short name (which didnt include spaces) was used.

    Solution: Create a new certificate request via the Lync deployment GUI using the correct short template name and re-submit that to the Microsoft CA."

    Reference: https://www.admin-enclave.com/en/articles/skypeforbusiness/164-resolved-denied-by-policy-module-0x80094800-when-creating-a-lync-ssl-certificate.html

    Also please make sure the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder).

    50528-1.png

    Below is the discussion about this issue, we could kindly have a check whether it helps.
    https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity

    At the same time, I would like to share with you some documents about Certificates Used with NPS. Hope they could be helpful.

    Manage Certificates Used with NPS
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates

    Configure Certificate Templates for PEAP and EAP Requirements
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  5. Chris Butler-Howard 1 Reputation point
    2020-12-23T03:51:00.717+00:00

    Hi Hannah,

    I have come across those articles as well and deleted the original certificate template then recreated it with no spaces, then issued that certificate template which is now failing. Screenshot below showing no spaces:

    50625-image.png

    I have also reviewed the MS documentation you sent and confirmed everything is as MS say it should be. I've searched Google extensively to find a solution so fairly confident I've read most hits that match the error we've got and the only conclusion I reached was where someone said this would not work on Server 2008 Standard edition - autoenroll for V2 or V3 templates does not work:

    https://social.technet.microsoft.com/Forums/office/en-US/1da6be70-10b7-4d56-8ace-b51d67c93848/the-requested-certificate-template-is-not-supported-by-this-ca-windows-2008-standard-edition?forum=winserversecurity

    Windows Server 2008 standard edition can only issue certificates based on Version 1 certificate templates. To use autoenrollment, you need to issue V2 or V3 certificate templates. This is blocked by the OS>

    You must do one of the following:

    1) Upgrade the server to Windows Server 2008 Enterprise or Data Center

    2) Upgrade the server to Windows Server 2008 R2 Standard, Enterprise, or Data Center

    3) Upgrade the server to Windows Server 2012 Standard or Data Center