Enabling autoenrollment with CEWS

GrAllen 21 Reputation points
2022-01-27T18:45:20.367+00:00

We have two forests (Forest 1 and Forest 2) with trusts. Our production CA is in Forest 1. We have implemented CEWS (CEP/CES) in Forest 1 using Integrated Authentication to provide certificate enrollment services to Forest 2. Client machines in Forest 2 have the CEP policy installed, autoenrollment enabled and have been permitted to a CEWS SSL template. When we manually request a device certificate from a Forest 2 machine it works. However, it does prompt us for subject name info during the request.
The machines will not autoenroll even though they have autoenroll policy enabled and are permitted to the CEWS SSL template with read, enroll and autoenroll permissions. We see a message in the client log that the template requires user interaction and cannot be automatically enrolled. The CEWS SSL template is set to "enroll subject without requiring any user input". The subject tab of the template is set to "Supply in the request".
We tried changing the Subject setting to "Build from Active Directory Information" thinking that the subject setting was causing autoenrollment to halt for user interaction. But when we change the template subject setting to "Build from Active Directory" neither the manual nor autoenrollment work. We see a message on the CA and Forest 2 Client: "Denied by Policy Module 0x800702b The Requestor's Active Directory Object is not in the current forest. Cross Forest enrollment is not enabled". Is it possible to configure autoenrollment for CEWS client computers in Forest 2?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,959 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,111 Reputation points MVP
    2022-01-28T07:39:33.11+00:00

    The machines will not autoenroll even though they have autoenroll policy enabled and are permitted to the CEWS SSL template with read, enroll and autoenroll permissions.

    this is expected. Machines do not autofill subject field. It is possible to renew against the template that require manual subject by enabling a checkbox that allows to reuse the subject from renewal certificate. But that's all.

    The Requestor's Active Directory Object is not in the current forest.

    that's correct. When CA attempts to query object that belongs to another forest from local DC it receives the LDAP referral which requires LDAP referral chasing: https://learn.microsoft.com/en-us/windows/win32/ad/referrals. To enable LDAP referral chasing on CA, you have to run the following command:

    certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS  
    

    And restart CA service.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 39,416 Reputation points
    2022-01-31T09:52:36.097+00:00

    Hi there,

    You probably must have missed these below points.

    • LDAP referrals
    • Publication of the CA certificates in the resource forest
    • Inclusion of the issuing CA computer accounts in the Cert Publishers group
    • Verification that the URLs in the CDP/AIA are accessible from the resource forest
    • Permissions are configured to enable Read and Enroll permissions for groups in the Resource forest

    Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    Server 2012 R2 - "Cross forest enrollment is not enabled"
    https://social.technet.microsoft.com/Forums/en-US/59393068-76ff-46df-874e-ae19057ea223/server-2012-r2-quotcross-forest-enrollment-is-not-enabledquot?forum=winserversecurity


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments