000016441 - AEP enrollment object not showing in Windows 2008

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016441
Applies ToRSA Certificate Manager 6.9 build 554
Fedora Auto Enrollment Proxy (AEP)
Microsoft Windows Server 2008
IssueAEP enrollment object not showing in Windows 2008
SYMPTOM #1:
When following the instructions in the RCM Windows PKI admin guide to set up AEP on Windows 2008 server, the enrollment object that is created in the forest root Configuration Context (when the ?Populate AD? button is clicked in the AEP options dialog) is not visible as a valid Certification Authority. Thus you can not request certificates using that object. Any certificate templates that are assigned to that object will not be valid certificate templates for enrollment.
SYMPTOM #2:
Another symptom that you may observe is that certificate templates which were explicitly assigned to the RHCS (Red Hat Certificate System) enrollment object do not function for enrollment.
CauseThe 'Red Hat Certificate Systems Proxy' object that is created by the AEP options dialog does not have the 'displayName' attribute set. Windows 2003 is not affected since it only uses the dNSHostName attribute to display the enrollment object.

For the second symptom, since the RCM Windows PKI admin guide requires that Microsoft Certificate Services be installed on the AEP host, the Microsoft Certificate Services installation creates an enrollment object in the forest root Configuration Context as well. If the 'displayName' attribute is not set as above for the RHCS enrollment object, only templates that are assigned to the Microsoft Certificate Services object that was created will be available.
ResolutionThis issue will be fixed in a future version/build of RSA Certificate Manager. Contact RSA Customer Support for updates on a fix for this issue.

As a workaround, populate the 'displayName' of the enrollment object using ADSI Edit with a descriptive name:
  => ADSI Edit
  => Configuration [hostname.domain.net]
  => 'CN=Configuration,DC=domain,DC=net'
  => 'CN=Services'
  => 'CN=Public Key Services'
  => 'CN=Enrollment Services'
  => 'CN=Red Hat Certificate System Proxy'
  => update 'displayName' attribute with a descriptive name, such as 'RCM Win2k8 CA' or 'AEP Proxy'.
NotesCERTMGR-4301
Legacy Article IDa62576

Attachments

    Outcomes