Raphael, please check "Initialize enrollment policies" section in part 2. In short, every CEP endpoint is a separate unit and every CEP is processed independently. The fact that both CEP endpoints provide same templates and same CAs doesn't mean anything and any matching is considered as a coincidence. As the result, autoenrollment client processes first CEP and acquires a certificate. The job is done, second CEP is queried: certificate is required, then autoenrollment acquires certificate from second CEP.
Hi Vadims, while autoenrollment is working fine, I am seeing duplicate certificates being enrolled as soon as I switch from WCCE (Default Policy) to XCEP/WSTEP on CEP/CES.
- two Issuing CAs
- two CEP URIs configured (same weight) on dedicated servers
- on each enrollment server a pair of matching CES pointing back to the CAs
Those duplicate certificates are always issued from the same CA, even if a template is published on both CAs. When putting only one of the CEP endpoints into the GPO, everyting is working as expected - but the clients would only have one CEP path to choose from.
Am I missing someting or is this setup of multiple CEP paths on conjunction with autoenrollment not supported?
Many thanks for all your very helpul posts!
Make sure that the installed version of .NET you're running this from is 4.5 or greater. The SSLProtocols Enum from previous versions don't have support for TLS 1.1 and above:
See 4.0 Support:
vs. 4.5 Support:
For public certificate import onto hardware devices (HSM, smart cards), you have to use software provided by HSM. I don't know ways to do this programmatically.
© 2008 - 2019 - Sysadmins LV. All rights reserved