Guest Orbital Posted March 4, 2009 Posted March 4, 2009 Hi All, 2008 PKI, with a 2003 level domain. 2003 and 2008 DC's in a root and child domain structure. Can anyone suggest some things to look at as to why my 2003 and XP clients are not autoenrolling? I know it's a very generic question, but I'm happy with a generic look at X Y and Z answer! 2008 are working beautifully. I've enabled the GPO in root and child domains for autoenrollment. Is the 'CERTSVC_DCOM_ACCESS' group membership relevant here? Many thanks in advance, Orb. Quote
Guest Peter Foldes Posted March 4, 2009 Posted March 4, 2009 Orbital This issue belongs to the server.security newsgroup. Please repost it there On the web: http://www.microsoft.com/communities/newsg...server.security -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Orbital" <Orbital@discussions.microsoft.com> wrote in message news:DA2E60FA-4E4B-46FE-8862-8B14A29D6D57@microsoft.com...<span style="color:blue"> > Hi All, > > 2008 PKI, with a 2003 level domain. 2003 and 2008 DC's in a root and child > domain structure. > > Can anyone suggest some things to look at as to why my 2003 and XP clients > are not autoenrolling? I know it's a very generic question, but I'm happy > with a generic look at X Y and Z answer! 2008 are working beautifully. I've > enabled the GPO in root and child domains for autoenrollment. Is the > 'CERTSVC_DCOM_ACCESS' group membership relevant here? > > > Many thanks in advance, > Orb. </span> Quote
Guest PA Bear [MS MVP] Posted March 5, 2009 Posted March 5, 2009 [[Forwarded to microsoft.public.windows.server.security newsgroup via crosspost]] Orbital wrote:> 2008 PKI, with a 2003 level domain. 2003 and 2008 DC's in a root and child<span style="color:blue"> > domain structure. > > Can anyone suggest some things to look at as to why my 2003 and XP clients > are not autoenrolling? I know it's a very generic question, but I'm happy > with a generic look at X Y and Z answer! 2008 are working beautifully. > I've > enabled the GPO in root and child domains for autoenrollment. Is the > 'CERTSVC_DCOM_ACCESS' group membership relevant here? </span> Quote
Guest Paul Adare Posted March 5, 2009 Posted March 5, 2009 On Wed, 4 Mar 2009 18:53:25 -0500, Peter Foldes wrote: <span style="color:blue"> > This issue belongs to the server.security newsgroup. Please repost it there</span> This is a general security news group and you really need to stop redirecting people who post here. What exactly do you think this group is for? -- Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Quote
Guest Peter Foldes Posted March 5, 2009 Posted March 5, 2009 Paul.. The post belongs to the server.security newsgroup and not here in public.security. Usually server security related issues belong to the server newsgroup which were set up for that purpose. If I am wrong then please by all means correct me. Thank you Paul and have a nice rest of the day. -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Paul Adare" <pkadare@gmail.com> wrote in message news:zrcdhnwbug0d.15jj174t8l36k.dlg@40tude.net...<span style="color:blue"> > On Wed, 4 Mar 2009 18:53:25 -0500, Peter Foldes wrote: ><span style="color:green"> >> This issue belongs to the server.security newsgroup. Please repost it there</span> > > This is a general security news group and you really need to stop > redirecting people who post here. What exactly do you think this group is > for? > > -- > Paul Adare > MVP - Identity Lifecycle Manager > http://www.identit.ca </span> Quote
Guest Orbital Posted March 12, 2009 Posted March 12, 2009 Thanks Brian. So, I removed my 2008 Ent Issuing server, using MS article 889250 and a PKI blog entry as reference. I then, keeping my Windows 2008 SHA256 Root and Policy servers in place, performed another installation and AD publish of my 2008 Ent Issuing server using SHA1 as the algorithm. But still no bueno. Again, my 2008 boxes pick up the certs but not my 2003. Am I right to assume this needs SHA1 from the top down, ie my original Root and Policy certs should be SHA1? I'm thinking I need to remove everything here and reinstate with SHA1 from the beginning. Thanks in advance, Orb. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.