DC won’t obtain SSL certificate automatically

DC won’t obtain SSL certificate automatically

Customer installed Enterprise CA server in their AD forest and some Domain Controllers won’t pick up an SSL certificate.
 
The customer used LDP.exe to verify all of their DC to see if they had SSL enabled.  They found a DC that did not pick up an SSL certificate.

The first thing to check is that the DC has been rebooted. The DC will obtain its SSL certificate upon a reboot.

The next thing to check is that the DC is set up to get its SSL certificate automatically.

Run GPEDIT.MSC, click on +Computer Configuration +Windows Settings +Security Settings then click on Public Key Policies and then Autoenrollment Settings and make sure it is set to "enroll certificates automatically" and make sure that renew and update are also checked.

Click Save and reboot the DC.

Now use LDP.exe to verify SSL communication.

If the DC still does not obtain the SSL certificate, here are some other items to check:
  1. Check and make sure the CERTSVC_DCOM_ACCESS group exists and has the proper groups assigned
    To resolve this problem, follow these steps:

    On the domain controller that hosts the certification authority, verify that the CERTSVC_DCOM_ACCESS group exists. To do this, follow these steps on the domain controller:

    Click Start, click Run, type Dsa.msc, and then click OK.
    In the console tree, click Users.
    In the details pane, verify that the CERTSVC_DCOM_ACCESS group exists.
    Add following groups to the CERTSVC_DCOM_ACCESS group:
    The Domain Users group
    The Domain Computers group
    The Domain Controllers group

    To update the DCOM security settings for the certificate service, run the following commands at a command prompt:
    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc

    Note Press ENTER after each command.
    Note: Information from https://support.microsoft.com/en-us/help/947237/the-autoenrollment-functionality-fails-when-a-windows-vista-based-computer-uses-version-2-v2-certificates


     

      Can't find the KB

      Unable to find the KB to address your issue ?  

        • Recent Articles

        • Lenovo Unified Workspace End-of-Life Questions and Answers

          Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...

        • How do I determine my Unified Workspace license expiration date?

          The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

        • Lenovo Unified Workspace 7.0.2.13 Released

          Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

        • LanSchool Documentation Guides

          LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...

        • Lenovo Unified Workspace 7.0.1.41 Released

          Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...

        • Related Articles

        • Our SSL cert is expiring on our UW servers, can Lenovo Software help us renew that certificate?

          Issue SSL Certificate is expiring/expired on customer's Unified Workspace (formerly webNetwork) server(s). Solution Lenovo Software Support can assist you with renewing the SSL Certificate on your UW servers.  The only downtime required will be a ...

        • webNetwork will not start because AD ssl certificate has expired

          Customer restarted webnetwork and now it won’t start. It gives errors like : FATAL (12/23) 11:19:23 [com.stoneware.service.DirectoryManager]: Unable to verify/extend schema. javax.naming.CommunicationException: simple bind failed: 192.168.1.41:636 ...

        • Convert PFX certificate to JKS keystore using KeyStore Explorer

          Issue: Can we import the wildcard SSL Certificate we already have on our IIS server(s)? Solution: Please see the following documentation on how to convert a PFX certificate, exported from an IIS server, to a Java JKS keystore. Once you have your new ...

        • SSL certificate installation - part 1

          Problem: Need to create and add new wildcard SSL certificate to Unified Workspace server. Prerequisite(s): Download and install KeyStore Explorer tool on workstation Solution(s): Below instructions will walk you through process of creating a new ...

        • SSL certificate installation - part 2

          Problem:  Need to create and add new wildcard SSL certificate to Unified Workspace server. Prerequisite(s): Completed part 1 Access to keystore password Solution(s):  Below instructions will walk you through process of placing a new keystore on ...