question

JamesChew-0095 avatar image
0 Votes"
JamesChew-0095 asked FanFan-MSFT commented

RDP Certificate not auto-renewing

Hi,

I have set up an RDP cert for auto renewal in my lab. I have ticked 'Auto-Enroll' for all users, create a group policy for RDP and set the server authentication template to my template, i have also changed the configuration for both computer and user to allow auto-enrollment in group policy. However, my auto-renewal is not triggering when my cert expires. Can someone help please. Thanks.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dimiro avatar image
0 Votes"
dimiro answered JamesChew-0095 commented

did you configured security permissions on certificate to autoenroll for domain computers too?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

First of all ,check if the group policy for 'Auto-Enroll' was applied for all the users.
You can run the GPRESULT /H REPORT.HTML and check the gpresult.
Make sure the users have the read and auto-enroll permission on the templates.
If possible , please share a screenshot here.(Hide the private information)

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesChew-0095 avatar image
0 Votes"
JamesChew-0095 answered JamesChew-0095 commented

83192-gpresult.png




Hi,

The GPresult does not show the users. I have allowed read and auto-enroll/enroll for all users in my CA. Thanks.


gpresult.png (24.1 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Sorry that i can't figure out is the policy a user setting?
If yes, the auto-enroll policy is applied.
You can run gpupdate /force on the clients and check if any events logged or if there are any errors.
Best Regards,

0 Votes 0 ·

Yes the auto-enroll policy is applied and i have run gpupdate /force but my cert is not auto-renewing... sad

0 Votes 0 ·

but... is this gpo was applied both to computer and users?

1 Vote 1 ·
Show more comments
JamesChew-0095 avatar image
0 Votes"
JamesChew-0095 answered FanFan-MSFT commented

hi, i managed to get auto-enrollment to work but now i see this error from my event viewer.

Certificate enrollment for Local system failed to enroll for a RDPxxxx certificate with request ID 400 from hostname.testlab.local\SubCA (The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I tried to do more research about this issue but without no lucky.
If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

Best Regards,

0 Votes 0 ·