Join Log in
Score:0
Daniel avatar Server

Auto-Enrollment with manager approval, but auto-approval for re-enrollment

in flag
Daniel

I have a certificate template (auto-enrolled) that must require manager approval.

To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.

enter image description here enter image description here

The computer does auto-enroll and the certificate is placed on the Pending queue on the CA.

My wish is that once the pending certificate was manually approved, certificates should be renewed, or updated if the template major version increments, without manager approval. But I can't get this to work.

When I increment the major version of the certificate, the request is never automatically issued, but again put into the Pending queue for manual issuance.

I tried changing the Same criteria as for enrollment to Valid existing certificate but this didn't change anything.

To speed up my troubleshooting, I used certutil -pulse to start the auto-enrollment process on the requesting computer.

Edit:

The auto-enrollment policy on the affected server:

enter image description here

100
0 + 0
pki
br flag
garethTheRed
What's on the __Subject__ tab?
0
Reply
Daniel avatar
in flag
Daniel
@garethTheRed I added the subject tab.
0
Reply
br flag
garethTheRed
And the PKI group policy?
0
Reply
cn flag
Crypt32
Sounds like a bug in ADCS, or incorrect MSFT documentation. At this point, you cannot accomplish what you are trying to do. I'm reaching Microsoft on this regard to get explanations.
0
Reply
Daniel avatar
in flag
Daniel
@garethTheRed I added the auto-enrollment policy. I assume that is what you meant by PKI group policy?
0
Reply
br flag
garethTheRed
To be honest, they look identical to the setting I've used in the past. However, I've not tried to increment the major version of the template and tested. Going by what you've seen and what @Crypt32 said, it's unlikely I'd succeed!
0
Reply
br flag
garethTheRed
One thought - you've not set the validity period to anything ridiculously short for the purpose of expediting testing have you? Auto (re)enrollment fails when you issue certs for less than 8 hours or so - I usually set it to 24h even for testing.
0
Reply
Daniel avatar
in flag
Daniel
I set it to one hour. I will set it to 24h and wait a day.
0
Reply
Daniel avatar
in flag
Daniel
Today I check the CA and the certificate renewals are still set to pending state.
0
Reply
cn flag
Crypt32
@Daniel as I said, either it is a doc bug, or ADCS CA bug. It is not your fault (not misconfiguration). Docs say that `existing valid certificate` overrides the CA manager approval checkbox. I was able to repro and the behavior contradicts with docs and I've opened a support case with MSFT.
1
Reply
Daniel avatar
in flag
Daniel
Just updating the post. Appreciate your effort. Please let me know of the outcome. Thanks!
0
Reply
Score:2
avatar Server
cn flag
Crypt32

I've opened a support case with Microsoft on behalf of OP (TrackingID#2201120040008993) about the issue. As I pointed in comments, the OP's setup is correct and I was able to repro in my environment. The support ticket is opened against [MS-WCCE] protocol, §3.2.1.4.2.1.4.2.2 specification.

Microsoft Support was able to confirm the issue. Further investigation discovered that Microsoft CA implements [MS-WCCE] §3.2.2.6.2.1.4.5.7 requirement to ignore CT_FLAG_PEND_ALL_REQUESTS flag when CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT properly. However, further investigation found that Microsoft CA in one of internal request processing routines fails with Bad Renewal Name which attempts to bind requester UPN name to the one stored in Active Directory. However since it is computer template, the UPN is not available (hence the error) and renewal procedures are aborted and initial request procedures executed: request placed in pending requests. And this UPN binding condition is not documented anywhere.

I've set up same scenario for user template (which writes down the UPN in certificate) and it worked well: initial request was placed in pending requests, renewal automatically renewed and issued the certificate.

In current state, "valid existing certificate" option works for user templates only and doesn't work for computer templates. There is no available workaround.

I'm continuing conversations with Microsoft Support and will update this response when new information is available.

HTH

0 + 0
CryptoDan avatar
us flag
CryptoDan
I Just want to state that if the subject name is supplied in the request - Valid existing certificate works for computer templates.
0
Reply
Score:0
Richard.Wrinkle avatar Server
fr flag
Richard.Wrinkle

@crypt32, based on the MS-WCCE documentation you provided it seems like reenrollment without requiring approval will only work for user-based certificates, not computer . Is this a correct interpretation of what you shared?

+ 1
lobi avatar
za flag
lobi
This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/539632)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.