Forum Discussion

Deleted's avatar
Deleted
Nov 16, 2022

Two Tier PKI AutoEnrollment & CertEnroll Errors

Hi,   I have a two tier PKI certificate system setup on windows server 2022.   All Windows 10/11 clients and domain controllers get the following errors in event viewer:   1) Automatic certific...
windows server
Deleted's avatar
Deleted
Nov 18, 2022

Hi Lain,

Thank you for your detailed response! I am starting to go through your post right now.

So far, I noticed that my subordinate/intermediate issuing CA has the four allow in-bound firewall rules enabled (the Certification authority enrollment and management protocol rules).

However, they do not exist on domain controllers or any workstations. Should they be there too? It seems my domain controllers don't even have those pre-defined rules to add on the firewalls. Or does my domain controller need to have certificate authority service installed?

 

P.S: thank you, I have re-enabled firewall across the domain

LainRobertson's avatar
LainRobertson
Silver Contributor
Nov 18, 2022

Deleted 

 

Hi,

 

Those four rules only exist and are enabled on the hosts running Certificate Services (which should not be the domain controllers - they should only ever run just one thing: Active Directory.)

 

What those four rules do is allow inbound traffic from other hosts to reach Certificate Services via RPC.

 

Given the four rules are there and enabled, I'd:

 

  1. Ensure the Certificate Services service (certsvc) is running on the Certificate Services host;
  2. Run a PortQry check from another host on the same subnet/virtual switch to see if it can access the Certificate Services host;
    • If it can then you know you something is blocking traffic from other more remote hosts from reaching your Certificate Services host;
    • If it cannot then the problem exists on the Certificate Services host itself.

 

Do you know if you have had Certificate Services installed within the forest ever before? If you have, it may be the case that you have a non-existent host reference lingering in your configuration - but this is an outside possibility.

 

Here's some commands you can use to check if you've ever had another certificate authority:

 

# This command lists all defined certificate authorities.
Get-ADObject -Filter { (objectClass -eq "certificationAuthority") } -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel | Format-Table -AutoSize objectGUID, objectClass, name

# This command lists all enrolment service points (aka servers running Certificate Services.)
Get-ADObject -Filter { (objectClass -eq "pKIEnrollmentService") } -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -SearchScope OneLevel -Properties dNSHostName | Format-Table -AutoSize objectGUID, objectClass, name, dNSHostName

 

Hopefully you only see entries that you know about. If you see strays that you didn't know existed (particularly from the second command) then you may have some long-lost things to clean up (aka delete.)

 

Cheers,

Lain