Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)

Author Uwe GradeneggerPosted on Categories Active Directory, Basics, Certificate usageTags ,

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Regardless of whether a manual application is made via the certificate management consoles (certmgr.msc for user and certlm.msc for computer certificates), the process is identical.

Step 1: Query the directory service via LDAP

In the first step, the client establishes an LDAP connection to a domain controller and queries the following information:

  • All pKICertificateTemplate Objects (certificate templates) in the Active Directory forest.
  • All pKIEnrollmentService objects (enterprise certificate authorities) in the Active Directory forest.
  • All msPKI-Enterprise-Oid Objects (Object Identifier) in the Active Directory forest.

This information is all stored in the Configuration partition of the Active Directory forest.

The pKICertificateTemplate and msPKI-Enterprise-OID objects can be used to determine whether the requester is authorized to request ("enroll") and whether an automatic request is to be made ("auto-enroll"). The default settings for making the certificate request are also determined here.

The connection between already existing certificates and the certificate templates is established via the "Certificate Template Information" extension. This contains the object identifier of the certificate template as well as version information. This prevents certificates from being requested twice during autoenrollment, and certificates can be requested again if a serious change has occurred. Replaced certificates can be identified and archived using this information.

For this reason, the "Certificate Template Information" extension must not be used for certificates for which autoenrollment is to be used. be removedotherwise the process will no longer work and the Side effects could occur.

The pKIEnrollmentService objects can be used to determine the certification authorities that offer the certificate templates to be requested, as well as on which computer in the network the certification authority is running. For this purpose the attributes certificateTemplates as well as dNSHostName evaluated.

Step 2: Connection to the target certification authority via RPC/DCOM

In the second step, a key pair and a certificate request are generated based on the requested information and sent to the responsible certification authority. If several certification authorities offer the same certificate template, the decision is made at random unless site awareness has been configured.

The certificate authority can identify the user based on Kerberos authentication and applies the settings specified in the corresponding certificate template with its policy module.

Control of client behavior for autoenrollment

The control of client behavior is controlled by group policy. The group policies exist once for user and for computer settings.

They can be found in our "User" or "Computer Configuration" - "Windows Settings" - "Public Key Policies" - "Certificate Services Client - Autoenrollment".

  • The "Configuration Model" causes the autoenrollment process to run at all. If this setting is not configured by a group policy, it is by default on a domain member activates.
  • The setting "Renew expired certificates, update pending certificates, and remove revoked certificates" causes expired certificates to be renewed automatically if they were issued by an Active Directory integrated certificate authority. In addition, approved certificate requests are fetched from certification authorities if they are available. Revoked certificates are archived. If this setting is not configured by a group policy, it is by default on a domain member deactivated.
  • The "Update certificates that use certificate templates" setting causes certificates to be automatically requested that are enabled for autoenrollment for the requestor. If this setting is not configured by a group policy, it is by default set on a domain member. deactivated.

So, by default, the autoenrollment process automatically replicates all domain members to the Active Directory forest's Public Key Services object when triggered.

Determination of the current configuration

The settings can be checked via the registry on Windows computers. They can be found in the "AEPolicy" value under the following paths:

PathDescription
HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollmentUser settings, configured by group policy
HKCU\Software\Microsoft\Cryptography\AutoEnrollmentUser settings, locally configured
HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollmentComputer settings, configured by group policy
HKLM\Software\Microsoft\Cryptography\AutoEnrollmentComputer settings, locally configured

Settings configured via group policy take precedence over locally configured settings.

A query can be made via the command line.

Example: Settings set by group policy for the currently logged in user account.

reg query ^
HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment ^
/v AEPolicy

Example: Computer account settings set by group policy.

reg query ^
HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment ^
/v AEPolicy

The values mean in detail:

ValueDescriptionResult
0x00000000 or not availableAutoEnrollment process is activates
Update certificates that use certificates templates" is deactivated		none automatic request for certificates
none Automatic renewal of expired certificates
none Automatic collection of approved certificate requests
none Automatic archiving of revoked certificates
0x00000001AutoEnrollment process is activates
Update certificates that use certificates templates" is activates
Renew expired certificates, update pending certificates, and remove revoked certificates" is deactivated		automatic request for certificates
none Automatic renewal of expired certificates
none Automatic collection of approved certificate requests
none Automatic archiving of revoked certificates
0x00000006AutoEnrollment process is activates
Update certificates that use certificates templates" is deactivated
Renew expired certificates, update pending certificates, and remove revoked certificates" is activates		none automatic request for certificates
Automatic renewal of expired certificates
Automatic collection of approved certificate requests
Automatic archiving of revoked certificates
0x00000007AutoEnrollment process is activates
Update certificates that use certificates templates" is activates
Renew expired certificates, update pending certificates, and remove revoked certificates" is activates		automatic request for certificates
Automatic renewal of expired certificates
Automatic collection of approved certificate requests
Automatic archiving of revoked certificates
0x00008000AutoEnrollment is deactivatednone automatic request for certificates
none Automatic renewal of expired certificates
none Automatic collection of approved certificate requests
none Automatic archiving of revoked certificates

Trigger for triggering the autoenrollment process

The triggers for running the autoenrollment process on domain members are:

  • When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
  • By timer every 8 hours.
  • When updating group policies, assuming there has been a change.

These settings can be viewed via the task scheduler under "Microsoft" - "Windows" - "CertificateServicesClient".

Manually running the autoenrollment process

If you do not want to wait for the autoenrollment to be triggered automatically, you can also start it manually. The different ways to run the autoenrollment process are described in the article "Manually running the autoenrollment process" described.

Related links:

External sources

44 thoughts on “Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)”

  1. Pingback: Clients connected via Virtual Private Network (VPN) do not renew certificates automatically | Uwe Gradenegger
  2. Pingback: Removing ADCS-specific extensions from certificates - Uwe Gradenegger
  3. Pingback: Basics Certificate Enrollment via Certificate Enrollment Web Services (CEP, CES) - Uwe Gradenegger
  4. Pingback: Have certificate holders automatically renew all certificates issued for a certificate template - Uwe Gradenegger
  5. Pingback: Details about the event with ID 53 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  6. Pingback: Basics Network Device Enrollment Service (NDES) - Uwe Gradenegger
  7. Pingback: Install SSCEP for Linux (Debian Buster) and apply for certificates via the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  8. Pingback: Signing certificates by bypassing the certification authority - Uwe Gradenegger
  9. Pingback: Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)." - Uwe Gradenegger
  10. Pingback: Automatic renewal of manually requested certificates without administrator intervention - Uwe Gradenegger
  11. Pingback: New certificates are regularly requested via Autoenrollment - Uwe Gradenegger
  12. Pingback: No certificate is requested via autoenrollment when a user is connected via Virtual Private Network (VPN). Manual certificate requests fail with error code "RPC_S_SERVER_UNAVAILABLE". - Uwe Gradenegger
  13. Pingback: Required firewall rules for Active Directory Certificate Services - Uwe Gradenegger
  14. Pingback: Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM - Uwe Gradenegger
  15. Pingback: Triggering the AutoEnrollment Process Programmatically - Uwe Gradenegger
  16. Pingback: Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine." - Uwe Gradenegger
  17. Pingback: Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)" - Uwe Gra
  18. Pingback: Details about the event with ID 52 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll - Uwe Gradenegger
  19. Pingback: The local certificate store for trusted root certificate authorities is not synchronized from Active Directory - Uwe Gradenegger
  20. Pingback: Details about the event with ID 10 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll - Uwe Gradenegger
  21. Pingback: Basics: Replacing (Superseding) Certificate Templates - Uwe Gradenegger
  22. Pingback: Creating a mapping from a user certificate to the associated computer - Uwe Gradenegger
  23. Pingback: Overview of the different generations of domain controller certificates - Uwe Gradenegger
  24. Pingback: Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider - Uwe Gradenegger
  25. Pingback: Limits of Microsoft Active Directory Certificate Services - Uwe Gradenegger
  26. Pingback: Details about the event with ID 4886 of the source Microsoft-Windows-Security-Auditing - Uwe Gradenegger
  27. Pingback: Manual execution of the autoenrollment process - Uwe Gradenegger
  28. Pingback: Configuring a certificate template for Remote Desktop (RDP) certificates - Uwe Gradenegger
  29. Pingback: Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_ENDPOINT_FAILURE" - Uwe Gradenegger
  30. Pingback: The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE" - Uwe Gradenegger
  31. Pingback: Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE" - Uwe Gradenegger
  32. Pingback: Planning of certificate validity and renewal period of end-entity certificates with autoenrollment - Uwe Gradenegger
  33. Pingback: The partition of the Hardware Security Module (HSM) is running full - Uwe Gradenegger
  34. Pingback: The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect." - Uwe Gradenegger
  35. Pingback: List of certificate use cases for which compatibility with elliptic curve (ECC) based keys is known - Uwe Gradenegger
  36. Pingback: Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)" - Uw
  37. Pingback: A policy module to tame them: Presentation of the TameMyCerts Policy Module for the Microsoft Certification Authority - Uwe Gradenegger
  38. Pingback: Requesting certificates for endpoints managed with Microsoft Intune - Uwe Gradenegger
  39. Pingback: Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers - Uwe Gradenegger
  40. Pingback: Transferring S/MIME certificates to Microsoft Intune - Uwe Gradenegger
  41. Pingback: Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted
  42. Pingback: Details about the event with ID 1063 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager - Uwe Gradenegger
  43. Pingback: Deconstruction of an Active Directory integrated certification authority (Enterprise CA) - Uwe Gradenegger
  44. Pingback: Roles in a Public Key Infrastructure - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish