1

I have a certificate template published on my domain-joined Server 2016 Enterprise CA - I'm trying to set up certificate autoenrollment for our internal webservers.

When the template has read/enroll/autoenroll permissions granted directly to a Computer Account, the computer in question can autoenroll.

When read/enroll/autoenroll permissions are assigned to the built-in group "Domain Computers", (any) domain joined computers can also autoenroll.

When security permissions are assigned to a global security group containing computer accounts as members, these computers cannot autoenroll. When using the "request new certificate" from the computer's certificate manager - I can select the template in question, but it fails with the error "The permissions on the certificate template do not allow the current user to enroll for this type of certificate". I can see failures on the CA when doing a GPUpdate on a computer which should have permission to enrol.

I suspect I'm missing something stupid - any suggestions on things to check?

JMP
  • 123
  • 1
  • 1
  • 6

1 Answers1

2

You need to reboot the servers after changing their Security group membership.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • As an addendum: a reboot is not strictly necessary, it's possible without a reboot if you purge the kerberos ticket cache for the system account on the computer: https://serverfault.com/questions/159231/is-there-a-way-to-refresh-computer-group-membership-without-rebooting – JMP Oct 18 '17 at 01:00
  • True, but a reboot is usually the quickest, most efficient way. I wanted to keep my answer as simple and as straightforward as possible. Thanks for the assist nonetheless. – joeqwerty Oct 18 '17 at 01:04
  • it's definitely easier, yes :) – JMP Oct 18 '17 at 03:27