Thursday, November 3, 2016

Certificate template not showing up in web enrollment request options for Microsoft Certificate Authority

I ran into an interesting problem at a client this week when I had to request a new certificate from their 2-tier, standalone Root CA and subordinate Enterprise CA, certificate authority infrastructure where a certificate template that we created by duplicating the Web Server template naming it Web Server Exportable then published would not show up in web enrollment request options.  The following are screenshots of the behavior of the web enrollment page after removing all of the published certificate templates and leaving the one I want to use:



No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.


Note the (No templates found!) listed in the Certificate template: drop down box:



After troubleshooting for a couple hours and attempting the following solutions found on the internet:

Verified the following KB was not the issue:

  1. Check to ensure the security permissions for the certificate template was set appropriately
  2. Ensure that Supply in the request was selected under the Subject Name tab
  3. Created a new application pool and assigned the Certsrv directory to it
  4. Ensure certificate template compatibility was the same or below the domain and forest functional level
  5. Changed the application pool’s advanced settings identity from ApplicationPoolIdentity to NetworkService

... which did not correct my issue, I went ahead and opened a case with Microsoft.

What we noticed was that we would be able to get the published template to show up if we changed the name from Web Server Exportable to Web_Server_Exportable, using a a different name.  This lead the engineer to suspect that there might be something lingering in AD that was causing the template with the original name not to show up in the web enrollment webpage.  To troubleshoot, we exported the Configuration container information to a text file via the ldifde command as such:

ldifde -f out.txt -d "CN=Configuration,DC=ad,DC=domain,DC=bm"

We then did a find on the exported out.txt file and immediately found an entry for WebServerExportable:


What we found was that another certificate authority in Active Directory which was an Enterprise Root CA  had a template published with the same name.  Logging onto that server and launching the Certificate Authority administration console showed the following:


The template listed as <Unknown> was what caused the template on the other CA to not be displayed so we went ahead and removed the template, forced an Active Directory replication with repadmin /syncall /AdePq, reran the ldifde export to confirm the template was no longer listed under this CA, then confirmed that the template is now shown in the web enrollment page.

Hope this post helps anyone who may come across a situation similar to this.

1 comment:

BrianW said...

Terence, I have to give you props because this post put me on the right track to figuring out my web enrollemnt issue on my Windows 2016 CA. You rock! Specifically the 5 items to check were what I needed. My tips for anyone working through the No Templates... issue are:
1. In order for a certificate template to be available via web enrollement you MUST set the CA Compatibility Level on the Compatibility tab to Windows Server 2008R2 or earlier. Also, you CANNOT change an existing certificate template back to Windows Server 2008R2 if you picked a later O/S version.
2. You must use IE because Microsoft in their wisdom created the page with active scripting. You will know it doesn't work with another browser because you will see Loading... for the CSP and Hash Algorithm drop downs.
3. Before you try all the crazy suggestions on the internet or open a call with Microsoft, make your troubleshooting easier. Create a new template from the Web Server template. Set the CA Compatibility level to 2008R2. Set the Security to Authenticated users - Read,Enroll and Domain Computers - Read,Enroll. Publish the new template. Wait 2 mins for CertSrv to read the new template. Go to your CertSrv website and your new template should be listed.