Problem with WLAN IAS certificate enrollment

[Randy Smith]

-Group policy set to allow autoenrollment
-IAS/DC's members of new security group
-Certifcate template set to allow enroll and autoenroll for newly created
security group
-Both IAS/DC's have been rebooted since adding to new group
-Domain controller certs have been issued to both IAS servers
-Selected automatically enroll certs in Certificates MMC.

I have done this a few times now over the past four days...certs are not
being issues to the IAS servers for WLAN auth. There are no errors in the
application log on the IAS servers or the CA server.

Any ideas on how to get this cert issued to both IAS servers?

 

[Brian Komar \(MVP\)]

Have you added the Domain COntrollers group to the Certsvc_DCOM_ACCEss
(something like that) group in the domain.
See the SP1 readme notes for more details
Brian

"Randy Smith" <smittyrt@gmail.com> wrote in message
news:eAYeyy2tIHA.3604@TK2MSFTNGP03.phx.gbl...
> -Group policy set to allow autoenrollment
> -IAS/DC's members of new security group
> -Certifcate template set to allow enroll and autoenroll for newly created
> security group
> -Both IAS/DC's have been rebooted since adding to new group
> -Domain controller certs have been issued to both IAS servers
> -Selected automatically enroll certs in Certificates MMC.
>
> I have done this a few times now over the past four days...certs are not
> being issues to the IAS servers for WLAN auth. There are no errors in the
> application log on the IAS servers or the CA server.
>
> Any ideas on how to get this cert issued to both IAS servers?
>
>

 

[Randy Smith]

Thanks Brian for the response.

I found this group on my CA server as a local security group. The everyone
group was already a member but I added the domaon controllers group anyway.
I have rebooted one of my DC's to update the group membership and requested
a cert once again. It almost seems like the request is not getting to the CA
server. There is no errors or any information at all about the request in
either the DC's (ISA's) server logs or the CA server logs about the request.
But...I can request a cert from a desktop and the cert is created nearly
immediately.

The difference...the only one I can see...is the certificate template. I
created this template on the CA server and have given the appropriate
security permissions to the appropriate groups. I've also checked the
settings of the template three times...they all are correct. I've even
deleted the template and recreated it. No help.

Any more ideas are greatly appreciated.

"Brian Komar (MVP)" <brian.komar.nospam@nospam.identit.ca> wrote in message
news:%23H3ZKd5tIHA.5832@TK2MSFTNGP02.phx.gbl...
> Have you added the Domain COntrollers group to the Certsvc_DCOM_ACCEss
> (something like that) group in the domain.
> See the SP1 readme notes for more details
> Brian
>
> "Randy Smith" <smittyrt@gmail.com> wrote in message
> news:eAYeyy2tIHA.3604@TK2MSFTNGP03.phx.gbl...
>> -Group policy set to allow autoenrollment
>> -IAS/DC's members of new security group
>> -Certifcate template set to allow enroll and autoenroll for newly created
>> security group
>> -Both IAS/DC's have been rebooted since adding to new group
>> -Domain controller certs have been issued to both IAS servers
>> -Selected automatically enroll certs in Certificates MMC.
>>
>> I have done this a few times now over the past four days...certs are not
>> being issues to the IAS servers for WLAN auth. There are no errors in
>> the application log on the IAS servers or the CA server.
>>
>> Any ideas on how to get this cert issued to both IAS servers?
>>
>>
>