Enabling autoenrollment with CEWS

Question

We have two forests (Forest 1 and Forest 2) with trusts. Our production CA is in Forest 1. We have implemented CEWS (CEP/CES) in Forest 1 using Integrated Authentication to provide certificate enrollment services to Forest 2. Client machines in Forest 2 have the CEP policy installed, autoenrollment enabled and have been permitted to a CEWS SSL template. When we manually request a device certificate from a Forest 2 machine it works. However, it does prompt us for subject name info during the request.
The machines will not autoenroll even though they have autoenroll policy enabled and are permitted to the CEWS SSL template with read, enroll and autoenroll permissions. We see a message in the client log that the template requires user interaction and cannot be automatically enrolled. The CEWS SSL template is set to "enroll subject without requiring any user input". The subject tab of the template is set to "Supply in the request".
We tried changing the Subject setting to "Build from Active Directory Information" thinking that the subject setting was causing autoenrollment to halt for user interaction. But when we change the template subject setting to "Build from Active Directory" neither the manual nor autoenrollment work. We see a message on the CA and Forest 2 Client: "Denied by Policy Module 0x800702b The Requestor's Active Directory Object is not in the current forest. Cross Forest enrollment is not enabled". Is it possible to configure autoenrollment for CEWS client computers in Forest 2?

Answer 1

The machines will not autoenroll even though they have autoenroll policy enabled and are permitted to the CEWS SSL template with read, enroll and autoenroll permissions.

this is expected. Machines do not autofill subject field. It is possible to renew against the template that require manual subject by enabling a checkbox that allows to reuse the subject from renewal certificate. But that's all.

The Requestor's Active Directory Object is not in the current forest.

that's correct. When CA attempts to query object that belongs to another forest from local DC it receives the LDAP referral which requires LDAP referral chasing: https://learn.microsoft.com/en-us/windows/win32/ad/referrals. To enable LDAP referral chasing on CA, you have to run the following command:

certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS  

And restart CA service.

Answer 2

Hi there,

You probably must have missed these below points.

• LDAP referrals
• Publication of the CA certificates in the resource forest
• Inclusion of the issuing CA computer accounts in the Cert Publishers group
• Verification that the URLs in the CDP/AIA are accessible from the resource forest
• Permissions are configured to enable Read and Enroll permissions for groups in the Resource forest

Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

Server 2012 R2 - "Cross forest enrollment is not enabled"
https://social.technet.microsoft.com/Forums/en-US/59393068-76ff-46df-874e-ae19057ea223/server-2012-r2-quotcross-forest-enrollment-is-not-enabledquot?forum=winserversecurity

---

--If the reply is helpful, please Upvote and Accept it as an answer--