2

There are a lot of discussions on here about this problem, and I have spent all day exploring every one of them. All the servers involved in this are Windows 2019. 2 domain controllers and a certificate authority server. After installing the Certificate Services feature, I then also installed the Web Enrollment stuff. But when I go to my server's enrollment site, I am greeted with this error:

enter image description here

I've chased down several options. I validated permissions via: https://www.altaro.com/hyper-v/windows-ssl-certificate-templates/

I verified LDAP object configurations via: https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/no-certificate-templates-be-found

I verified the configuration from this site: https://docs.microsoft.com/en-us/answers/questions/96739/certificate-template-not-showing.html

I'm running out of options. The template is clearly there: enter image description here

I'm completely out of ideas. I'm frustrated by this. Has anyone got any other ideas?

Geoff Sweet
  • 123
  • 1
  • 4
  • Wondering why you ever need this obsolete stuff like enrollment web pages? Why not to use MMC? It is much more flexible. – Crypt32 Mar 31 '21 at 06:00
  • While I agree with that (and add that PowerShell is also conveniently capable of issuing certs), the good old HTML3.2 web frontend *should* also still be able to show (and use) the templates. – bjoster Mar 31 '21 at 10:59

2 Answers2

1

Oh my. That can be a tough one. After a lot of troubleshooting and cursing about mscersvc, I compiled a "top list" of my solutions. Sorry if you did some of them already.

  • Check and verify https://support.microsoft.com/en-us/kb/811418
  • Ensure security permissions for the templates was set appropriately (check Application Pool Identity)
  • Make sure (without any doubt!) that your AD replication is working fine and that can see your templates on each and every DC (!)
  • Ensure that Supply in the request was selected under the Subject Name tab
  • Created a brand new IIS application pool and assigned the Certsrv directory to it (triple check appropriate permissions). Bind with http only (!)
  • Ensure certificate template compatibility was the same or below the domain and forest functional level (while on 2019 I wouldn't be surprised if not - most domain are on a older FL oder DL)
  • Change the application pool’s identity from ApplicationPoolIdentity to NetworkService (and double check NTFS permissions. This can go strange when Certsvc was set up on a DC, which I would not recommend at all)
  • Check for duplicates and/or decomissioned AD certsvcs (and issuing server name and certificate requests) with ldifde -f check.txt -d "CN=Configuration,DC=<YOURDOM>,DC=<YOURTLD>". When you find a "second" one, hunt it down or remove it's templates completely. Then repadmin /syncall /AdePq (and wait)
  • The (outdated) web console needs Read, Write, Enroll and Auto-enroll permissions to show the template
  • Make sure your CA is using Key Storage Provider (KSP) (and SHA2) wh using 2019 as web frontend

I wish you the best of luck.

bjoster
  • 4,805
  • 5
  • 25
  • 33
  • 2
    I wanted to mark yours as the answer and through my comments in below here. Ultimately my problem was permissions. In a thread over on the Technet forums, one of the Microsoft folks suggested making sure the template had "Authenticated Users: Read. Enroll" permission set. I corrected that. But what I forgot to do was to re-publish the template. The combination of those two items solved the issue for me. https://docs.microsoft.com/en-us/answers/questions/338294/windows-certificate-services-will-not-publish-a-ce.html – Geoff Sweet Mar 31 '21 at 16:49
  • Permissions, permissions, permissions ... thanks for the comment. I'll add that to the List. – bjoster Apr 01 '21 at 06:05
0

Ran into similar issue while trying to request for a new certificate from certmgr and my problem was that I did not have SRV records created in the domain for LDAP service. Packet capture on the client device showed DNS lookups failing.

mgGooner
  • 1