Hi,
I'm having problems getting certificate autoenrol on internal PKI to work for wireless set up with 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
Certificates can be generated manually and everything works perfectly, but haven't been able to get autoenrol of computer certificates working. Any advise on how to fix or troubleshoot this would be appreciated.
- GPO for autoenrol is set up as required (in the registry, AEPolicy = 7 which shows this is set correctly as per the link at bottom of this. rsop.msc also shows the policy is being correctly applied.
- Enabled logging in HKLM\Software\Microsoft\Cryptography\Autoenrollment\AEEventLogLevel and can see events 64 and 65 showing when running certutil -pulse
Those events are "Certificate enrollment for Local system is successfully authenticated by policy server"
- I Followed instructions on setting up the CA side. Slight complication is that CA is in parent domain, but added NPS servers needed to autoenrol into a group (and also explicity) with required permission (read, enrol, autoenrol)
- Certificate server shows no received requests and no failed requests
Used this to set up the CA which is in production for other certificate uses.
https://technet.microsoft.com/en-gb/library/cc731522.aspx?f=255&MSPPError=-2147217396
Also this one
http://www.rickygao.com/how-to-automatically-enroll-user-and-computer-certificate-in-ad/
Troubleshooting guide - I found this useful http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx
Environment:
NPS = Server 2012 R2 Standard
CA server = 2008 (R2 Enterprise I think)
Hope someone can assist as I am stuck. Issue doesn't appear to be GPO related or CA related. Despite event ids listed above, I'm not convinced the NPS servers are even asking out for a certificate.