Microsoft CA Web enrollment question

PKInoob88 101 Reputation points

Currently i have a separate server configured for web enrollment with open trust delegation from the enterprise CA. (using kerberos only)

However, when i require windows authentication for the web enrollment web page, it throws me an error
An unexpected error has occurred: The Certification Authority Service has not been started.
(this is for the download CA certificate, CRL option)

When i turn set to 'Automatic login only when in intranet zone' from internet options, everything works fine. (Kerberos ticket is retrieved when i check using klist http/web-server) Once i change to 'Prompt for username and password', i get errors above and sometimes the authentication fails 3 times with the 401 not authorized error.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,762 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,301 Reputation points Microsoft Vendor

    Hello @PKInoob88 ,

    Thank you for your waiting.

    I have done a test in my lab.

    I can request certs no matter the option is 'Automatic login only when in intranet zone' or 'Prompt for username and password' from internet options. I have checked in two different PKI environments.

    Can you please check if there is the same behavior on different PCs.
    Can you please check if there is the same behavior about different users.

    Best Regards,
    Daisy Zhou

    0 comments No comments