Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

The Certification Authority will use the Event no. 22 log.

Cause

Occurs when the certificate authority that issued the enrollment agent certificate is not a member of NTAuthCertificates in Active Directory.

The NTAuthCertificates object is located below the Public Key Services container within the configuration partition of the Active Directory forest. It contains all the certificate authority certificates that can be used for certificate-based logon in the Windows ecosystem.

The full LDAP path is:

CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,{Forest-Root-Domain}

The following certificate-based functions require the presence of the CA certificate in NTAuthCertificates object:

FunctionDescription
Enroll on Behalf Of (EOBO)The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates.
Key Recovery / Private Key ArchivingThe CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates.
Smartcard LogonThe CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates.
Windows Hello for BusinessIdentical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered.
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN).The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates.
EFS File Recovery AgentsThe CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates.
IIS Client Certificate Mapping (against Active Directory)The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates.
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode onlyOnly affects renewal mode, i.e. signing a certificate request with an existing certificate.
The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates.

If an Active Directory integrated certificate authority (Enterprise CA) is newly installed, its CA certificate is automatically copied to the NTAuthCertificates object by the installation routine. In the present case, the CA certificate was subsequently removed from the object.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

For an explanation of how the certificate authority certificate is included in the NTAuthCertificates object, see the article "Editing the NTAuthCertificates object„.

For security reasons, it may well be advisable for a certificate authority certificate not to be in the NTAuthCertificates object. Added CA certificates are considered trusted by all previously listed functions. This can be a security risk, assuming the CA is taken over by an attacker. Before adding new CA certificates to the NTAuthCertificates object, a security assessment should take place. Usually there is a reason that the CA certificate on NTAuthCertificates was removed.

Related links:

2 thoughts on “Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)“”

Comments are closed.

en_USEnglish