Auto enrollment does not work in the Cross Forest environment

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

You may find that with Windows XP and Vista clients, the cross forest Auto-enrolment does not work with the Windows Server 2003 SP 2 server.

 

 

 

Consider the following scenario:

 

•              Users Accounts are in the “Domain A”  in one Forest with the Enterprise CA installed.

 

•              Computer Accounts are in “Domain B” different forest.

 

•              Having forest trust relationship between “Domain A” and “Domain B” forests.

 

  This scenario is not supported and Auto-enrolment does not work, as it is by design.

 

 

1.           On Vista and down-level OS, the enrollment code always connects to the machine by default to the LDAP servers.  If the user account is in a different domain, then the Enrollment code will not display templates in the user’s domain. Therefore, the enrollment process will find the user’s domain when it is enrolling for current users, machine enrollments and “admin enrolls for machine" and will still use the machine domain.

 

2.           Fortunately, all templates contain friendly names already, so UI shows names instead of OIDs. OID may contain friendly names for more than one language, but the template can only have a name for one language. Therefore, if the user’s default language is not the same as the domains, UI can only display it in the domain’s local language. In “A request" UI, there is a list of EKU OIDs, which will come from the machine’s domain, instead of the users.

 

3.           Currently Auto-Enrollment works when “Enroll" permission is granted to “Domain Users", which is a global group.

 

 

 

 

 

To support cross forest Auto-Enrollment, follow these steps:

 

1.           Create a Forest Trust between all the forests that need cross forest Auto-Enrollment to work.

 

 

2.           Install an Enterprise Certification Authority in each of the forests.

 

 

Note  If you would like to create a Root CA, and issue subordinate CA's based on  the same Root CA to each individual forest it is not necessary to have a  separate PKI hierarchy in each forest.

 

3.           The Root Certification Authority's Certificate needs to be added to the Trusted Root Certification Authorities of each forest.

 

a.       Open an existing GPO and navigate to the following location:

 

b.      Computer Configuration\Windows Settings\Security Settings\Public KeyPolicies\Trusted Root Certification Authorities

 

c.       Then add the Root CA's Certificate here.

 

d.      You can also add it to the forest by typing the following command:

 

e.      CertUtil -dsPublish <Root CA Certificate File Name> RootCA

 

 

4.           On each Certification Authority run the following commands:

 

•              CertUtil -SetReg policy\EditFlags +EDITF_ENABLELDAPREFERRALS

 

•              Net Stop CertSvc

 

•              Net Start CertSvc

 

 

 

Note This part enables users from one forest to request certificates via the Certificate Server web site (Web Enrollment). Please keep in mind that you will need to make sure that the users from the other forest are in the CERTSVC_DCOM_ACCESS group.

 

 

 

5.           It is necessary to create all the Version 2 Certificate Templates that  are required for Auto-enrollment.

 

 

6.           If  we are  enabling this for  RADIUS Authentication, you will need to add all the Issuing Certification Authorities to the NTAuth Store to the forest wherever  the RADIUS Server is joined to: CertUtil -DSPublish -F <Sub CA CRT File Name> SubCACertUtil -dsPublish -F <Issuing CA Certificate FIle Name> NTAuthCA

 

 

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.