This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 33%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Hi, is it possible to use Certificate Enrollment Web Service/Policy Web Service to auto-enroll certificates to systems in forests without any trust with forest where 2-Tier PKI resides? If so how, for instance, servers/desktops/laptops will auto-enroll their certificates such as ConfigMgr client cert needed for HTTPS communication since typical auto-enrollment is AD/GPO "feature". What "initiates"/"triggers" certificate auto-enrollment on a machine?
The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.
The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Bojan Zivkovic ,
Thank you for posting here.
If there is no two-way forest trust, we can try to deploy cross-forest certificate enrollment in AD test lab according to the following article if needed.
Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.
For more information, please refer to link below.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
I followed document above and could not find (if I did not miss) part where system in untrusted forest/non-domain joined got certificate via autoenrollment. I guess if those two GPO settings are configured:
Certificate Services Client - Certificate Enrollment Policy
Certificate Services Client -Auto-Enrollment
system in untrusted forest/non-domain joined will get certificates automatically at next GPO refresh - but, what also is not covered is how to allow certificate auto-enrollment of specific template in terms of permissions (to which security principals read/enroll/auto-enroll permissions should be assigned).
I definitely do not want to go to each client/server in any untrusted forest and enroll certificates manually, for instance ConfigMgr client certificate, it should be auto-enrolled but here as I said I do not see auto-enrollment in action - everything is manual. Every document I found had some holes and this one is no exception.
Hello @Bojan Zivkovic ,
Thank you for your update.
Yes, you are right.
The document above does not mention that in untrusted forest/non-domain joined will get certificates automatically.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
I just would like to get 100% trustworthy information on this - if auto-enrollment of certificates to systems in untrusted forests is doable using CEP/CES or not. If answer is no then will tell my manager that only option is establishing two-way trust between forests with selective authentication if InfoSec won't allow forest-wide authentication. In that design I do not see a place for CEP/CES. Difference between auto-enrollment and enrollment of certificates is huge, particularly in untrusted forests with hundreds or thousands of systems.