Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
• One uses here the Enroll on Behalf of (EOBO) Mechanism.
• The certificate request fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

The Certification Authority will use the Event no. 22 log.

Cause

Occurs when the certificate authority that issued the enrollment agent certificate is not a member of NTAuthCertificates in Active Directory.

The NTAuthCertificates object is located below the Public Key Services container within the configuration partition of the Active Directory forest. It contains all the certificate authority certificates that can be used for certificate-based logon in the Windows ecosystem.

The full LDAP path is:

CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,{Forest-Root-Domain}

The following certificate-based functions require the presence of the CA certificate in NTAuthCertificates object:

Function	Description
Enroll on Behalf Of (EOBO)	The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates.
Key Recovery / Private Key Archiving	The CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates.
Smartcard Logon	The CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates.
Windows Hello for Business	Identical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered.
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN).	The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates.
EFS File Recovery Agents	The CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates.
IIS Client Certificate Mapping (against Active Directory)	The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates.
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode only	Only affects renewal mode, i.e. signing a certificate request with an existing certificate. The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates.

If an Active Directory integrated certificate authority (Enterprise CA) is newly installed, its CA certificate is automatically copied to the NTAuthCertificates object by the installation routine. In the present case, the CA certificate was subsequently removed from the object.

For an explanation of how the certificate authority certificate is included in the NTAuthCertificates object, see the article "Editing the NTAuthCertificates object„.

For security reasons, it may well be advisable for a certificate authority certificate not to be in the NTAuthCertificates object. Added CA certificates are considered trusted by all previously listed functions. This can be a security risk, assuming the CA is taken over by an attacker. Before adding new CA certificates to the NTAuthCertificates object, a security assessment should take place. Usually there is a reason that the CA certificate on NTAuthCertificates was removed.

Related links:

• Basics: Enroll on Behalf of (EOBO)