Share via

enrolment agent (enrol on behalf of) stopped working

Jamesy Wamesy 96 Reputation points
2021-12-31T12:58:12.18+00:00

Earlier in the year, I set up the ability for service desk to be able to enrol user certificates on behalf of remote users. I copied the enrolment agent template and set up security, etc on it. This was working fine as in, service desk members could enrol for a certificate from the enrolment agent template and then run the enrol on behalf of process where it would prompt them to select this cert for signing.

Now though when this process is run even though there is a valid enrolment agent cert, the message 'no certificates meet the application criteria'.

I have confirmed that all the settings are still correct, security is correct and that the certificate chain is valid. I even tried creating a new template, but the result is the same.

This is a two tier Windows server 2016 PKI set up with an offline root and online subordinate issuing CA. They certs for which are valid and in date.

Has anyone else experienced this issue?

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,931 Reputation points
    2022-01-04T10:00:08.51+00:00

    Hi there,

    Some points you can check before jumping to other troubleshoots.

    1. Check if this current logged-on user Personal Store has installed an Enrollment Agent certificate using the Enrollment Agent certificate template. If so, ensure this cert is not expired.
    2. Check if this current logged-on user Personal Store has installed an Enrollment Agent certificate using the Enrollment Agent certificate template. If there is no such certificate or such certificate has expired, this logged-on user can request an Enrollment Agent certificate using the Enrollment Agent certificate template again, then request certs on behalf of another user.

    Here is a thread as well which discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    https://learn.microsoft.com/en-us/answers/questions/369669/no-certificates-meet-the-application-criteria.html

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef1e7953-0e41-4465-becc-74305e18b32b/certificate-services-request-client-certificates-on-behalf-of-another-user?forum=winserversecurity

    -----------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.