Replies: 1 comment
-
|
Hi, this discussion forum is for EJBCA Community, without SLA. Regards, |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello EJBCA Community.
I'm currently working on a EJBCA Entreprise version and try to implement the Active Directory Autoenrollement operation on a Distributed Installation of the PKI. (https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/enrollment-protocol-configuration/microsoft-auto-enrollment-operations/microsoft-auto-enrollment-configuration-guide)
I have succeded all the step before the Part 4 comes in especially the step 3 of this part when you have to enable Enrollement Policies GPO.
I received an error as : The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT) (tried with DNS name but with the IP of my EJBCA CA machine it pulls a Remote Endpoint denied error).
When I enable the CAPI2 log in the event viewer of my domain controller We can see this error : "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust providers". (link below the full error)
However, when I check my certificate store (user & machine included) all the certificate CA in the certificate chain to be verified are present.
As I see in the Microsoft Page for "CertVerifyCertificateChainPolicy" The flag "7" for CERT_CHAIN_POLICY_MICROSOFT_ROOT says : "Checks the last element of the first simple chain for a Microsoft root public key. If that element does not contain a Microsoft root public key, the dwError member of the [CERT_CHAIN_POLICY_STATUS] (https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/ns-wincrypt-cert_chain_policy_status) structure pointed to by the pPolicyStatus parameter is set to CERT_E_UNTRUSTEDROOT." -> https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy
Currently, I cannot enable the Certificate Enrollement Policy for Microsoft Auto-enrollement. Do someone have insight or know how to fix this issue ?
Thanks in [advance.]
CAPI2 Log : https://ibb.co/CBDGzgV
Remote Endpoint Denied : https://ibb.co/8gLkFr6
PS : Sorry for my bad english not my mother tongue :/
Beta Was this translation helpful? Give feedback.
All reactions