Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Uwe GradeneggerJuly 2021August 2021Troubleshooting, Certificate usageAutoenrollment, Group Policy, Remote Desktop (RDP)

Assume the following scenario:

Machines are configured by group policy to request certificates for the remote desktop session host.
However, the certificates are not applied for.
In the event log of the affected system, the Event with ID 1064 of source Terminalservices-RemoteConnectionManager logged:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Cause and solution

Occurs when the clients do not have "Enroll" permission on the certificate template configured by group policy.

The clients' computer objects need the "Enroll" permission on the certificate template configured in the group policy.

It is recommended to work with autoenrollment for Remote Desktop certificates and not via certificate application by the Remote Desktop session host. For more details, see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates„.

Related links:

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM

External sources

RDP TLS Certificate Deployment Using GPO (Carlos Perez)

One thought on “Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.“”

Pingback: Details about the event with ID 1064 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager - Uwe Gradenegger

Comments are closed.

English