Replies: 1 comment
-
|
Hi, this discussion forum is for EJBCA Community, without SLA. Regards, |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello EJBCA Community.
I'm currently working on a EJBCA Entreprise version and try to implement the Active Directory Autoenrollement operation on a Distributed Installation of the PKI. (https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/enrollment-protocol-configuration/microsoft-auto-enrollment-operations/microsoft-auto-enrollment-configuration-guide)
I have succeded all the step before the Part 4 comes in especially the step 3 of this part when you have to enable Enrollement Policies GPO.
I received an error as : The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT) (tried with DNS name but with the IP of my EJBCA CA machine it pulls a Remote Endpoint denied error).
When I enable the CAPI2 log in the event viewer of my domain controller We can see this error : "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust providers". (link below the full error)
However, when I check my certificate store (user & machine included) all the certificate CA in the certificate chain to be verified are present.
As I see in the Microsoft Page for "CertVerifyCertificateChainPolicy" The flag "7" for CERT_CHAIN_POLICY_MICROSOFT_ROOT says : "Checks the last element of the first simple chain for a Microsoft root public key. If that element does not contain a Microsoft root public key, the dwError member of the [CERT_CHAIN_POLICY_STATUS] (https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/ns-wincrypt-cert_chain_policy_status) structure pointed to by the pPolicyStatus parameter is set to CERT_E_UNTRUSTEDROOT." -> https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy
Currently, I cannot enable the Certificate Enrollement Policy for Microsoft Auto-enrollement. Do someone have insight or know how to fix this issue ?
Thanks in [advance.]
CAPI2 Log : https://ibb.co/CBDGzgV
Remote Endpoint Denied : https://ibb.co/8gLkFr6
PS : Sorry for my bad english not my mother tongue :/
Beta Was this translation helpful? Give feedback.
All reactions