This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
In my server environment, I have 2 domain controllers and one standalone PKI server with service AD CS. I'm trying to setup certificate autoenrollment for users. It works well while the default LDAP url provider set, but after I change it to in Certificate enrollment policy:
https://mypkiserverip:50000/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
I could not find any certificate templates during the manual enrollment.
The certificate template has the following security options for the users:
The goal was to make autoenroll work on a custom port, partially followed this instruction:
There is no firewall between the servers to block any traffic.
What else should I check?
Thank you in advance.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello,
Thank you for your quick response.
I validated all of the points you mentioned and everything seemed to be correct, however I couldn't locate the source of the problem.
As a final solution to end this few months disaster, I decided to reinstall the whole PKI system on a brand new server and now everything works as excepted.
Hello,
Thank you for posting in the Microsoft Community Forums.
It sounds like you've set up most of the necessary components for certificate autoenrollment, but there are a few additional areas you might want to check:
Root Certificate Distribution: Ensure that the root certificate from your CA is properly distributed to all client devices. This is crucial for establishing trust between the clients and the CA.
Certificate Enrollment Policy URL: Verify that the URL format for the Certificate Enrollment Policy (CEP) is correct and accessible. The URL should be in the format https://<server>:<port>/ADPolicyProvider_CEP_Kerberos/service.svc/CEP.
Authentication Type: Confirm that the authentication type for the Certificate Enrollment Policy Web Service is correctly set. It should match the authentication method supported by your environment, such as Kerberos.
Permissions: Double-check the permissions on the certificate templates. Ensure that the users have the necessary permissions (Read, Enroll, Autoenroll) and that these permissions are correctly applied.
Group Policy Configuration: Verify that the Group Policy settings for autoenrollment are correctly configured. This includes enabling autoenrollment and ensuring that the policy is applied to the correct Organizational Units (OUs).
Service Account Permissions: If you are using a service account for the CEP and CES services, ensure that this account has the necessary permissions to access the CA and perform enrollment operation.
I hope the information above is helpful.
Best regards
Yanhong Liu
Hi,
I'm glad to hear your issue has been resolved and thank you for sharing.
Best regards
Yanhong Liu