question

agfreesafety3-6849 avatar image
0 Votes"
agfreesafety3-6849 asked agfreesafety3-6849 edited

How Do I Figure Out Why Certificate Not Loading from Group Policy?

How do I troubleshoot why a certificate didn't get issued to a new server added to the domain?

The setting is set in the Default Domain GPO, under Security Settings-->Public Key Policies--> trusted root certificates.

It was discovered that the new server didn't get the certificate when we tried to access our internet wiki while on the new server, and it didn't show the URL as a safe https site.

The rest of the GPO loads on the machine succesfully, so I'm not sure how else to troubleshoot why this failed to load.

Any tips on the first steps to research this? I looked in event log and I didn't see any clues, all I saw were messages about the GPO loading as a whole.

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

There might be many reasons for this like difference between Computer Configuration and User Configuration.

You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers, and Web servers to each client computer in the account partner forest by using Group Policy.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy



--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

agfreesafety3-6849 avatar image
0 Votes"
agfreesafety3-6849 answered agfreesafety3-6849 edited

@LimitlessTechnology-2700 Yes, that is how the GPO is already setup. What I don't understand, is how to troubleshoot why it isn't working for this one specific resource, it's worked for the others.

Can you elaborate on what you mean by "difference between Computer Config and User Config?"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

agfreesafety3-6849 avatar image
0 Votes"
agfreesafety3-6849 answered agfreesafety3-6849 edited

I put these settings into it's own GPO, and it's still not loading. Event log on the target machine states that the new GPO loaded successfully. But when I go to our internal website from this new machine, it's "still" saying that the website is not trusted.In case this might be related, when the machine was first built, I added it to the domain successfully.

Then a few days later it was discovered that it wasn't on the domain, so I put it back onto the domain shortly thereafter, and it's remained on the domain since then. This issue with the trusted root cert was discovered after I resolved that domain join issue.

Any idea how I can go about figuring out why this cert is failing to load?  I'm not sure where to turn with no event log info to go off-of. 

Even though the GPO shows as loading successfully, when I do an rsop and look under Public Key Policies----> Trusted Root Cert is blank

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.