Thursday, November 3, 2016

Certificate template not showing up in web enrollment request options for Microsoft Certificate Authority

I ran into an interesting problem at a client this week when I had to request a new certificate from their 2-tier, standalone Root CA and subordinate Enterprise CA, certificate authority infrastructure where a certificate template that we created by duplicating the Web Server template naming it Web Server Exportable then published would not show up in web enrollment request options.  The following are screenshots of the behavior of the web enrollment page after removing all of the published certificate templates and leaving the one I want to use:

https://<subordinateCA>/certserv

clip_image002

No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

clip_image002[4]

Note the (No templates found!) listed in the Certificate template: drop down box:

clip_image002[6]

clip_image002[8]

After troubleshooting for a couple hours and attempting the following solutions found on the internet:

Verified the following KB was not the issue: https://support.microsoft.com/en-us/kb/811418

  1. Check to ensure the security permissions for the certificate template was set appropriately
  2. Ensure that Supply in the request was selected under the Subject Name tab
  3. Created a new application pool and assigned the Certsrv directory to it
  4. Ensure certificate template compatibility was the same or below the domain and forest functional level
  5. Changed the application pool’s advanced settings identity from ApplicationPoolIdentity to NetworkService

... which did not correct my issue, I went ahead and opened a case with Microsoft.

What we noticed was that we would be able to get the published template to show up if we changed the name from Web Server Exportable to Web_Server_Exportable, using a a different name.  This lead the engineer to suspect that there might be something lingering in AD that was causing the template with the original name not to show up in the web enrollment webpage.  To troubleshoot, we exported the Configuration container information to a text file via the ldifde command as such:

ldifde -f out.txt -d "CN=Configuration,DC=ad,DC=domain,DC=bm"

We then did a find on the exported out.txt file and immediately found an entry for WebServerExportable:

clip_image002[10]

What we found was that another certificate authority in Active Directory which was an Enterprise Root CA  had a template published with the same name.  Logging onto that server and launching the Certificate Authority administration console showed the following:

clip_image002[12]

The template listed as <Unknown> was what caused the template on the other CA to not be displayed so we went ahead and removed the template, forced an Active Directory replication with repadmin /syncall /AdePq, reran the ldifde export to confirm the template was no longer listed under this CA, then confirmed that the template is now shown in the web enrollment page.

Hope this post helps anyone who may come across a situation similar to this.

No comments: