0

I have a two tier PKI infrastructure with an offline root CA and two Enterprise Intermediate Certification Authorities setup to auto enroll certificates. I have setup auto enrollment in default domain GPO within Active Directory for machine certificates. The direct Access servers have a machine certificate from the first PKI server.

My issue is that if a client machine auto enrolls a certificate from the second PKI server Direct Access doesn't work. even though bother PKI servers should be chaining of the same root Direct Access only works when the machines certs are issues from PKI01 the same server the Direct Access servers certificate are issued from.

If I have a machine certificate from each PKI on the direct access servers it fails so I can only have one machine certificate.

Any ideas?? Thanks Steve

Steve
  • 11
  • Answer. During setup of DirectAccess, you select One single certification authority. GPO does not permit to select which server to use for certificate-Auto-Enrollment. You have to manage certificate distribution through the Auto-Enroll permission on the certificate template that you create on the PKI server that you selected for for DA. Once done you modify the GPO edit the Certificate Services Client - Auto-Enrollment properties under Public Key Policies to enabled and Renew exported certificate update pending certificate etc etc and update certificates that use certificate templates – Steve Jan 29 '13 at 21:45
  • After you have modify these setting gpupdate /force on the DA client PC check the local certificate store and there should be a new certificate based on the template you created from the PKI server you need for Direct Access to work seamlessly. – Steve Jan 29 '13 at 21:53

0 Answers0