Tuesday, August 30, 2011

Certificate Autoenrollment Not Working on Windows 7

Why do I always seem to find the weird issues?

I was working with a client on a PKI deployment and ran into an issue of a Windows 7 workstation not autoenrolling properly.  The new Windows Server 2008 R2 PKI was fine, the client simply wouldn’t update.

I went to manually request the desired certificate, and found that the Root CA was not trusted, and therefore the client wouldn’t autoenroll.  Of course, the Root CA and the Issuing CA were properly registered in AD, so the client should’ve auto-downloaded the root certificates for them as part of the autoenrollment process.

I verified the client had autoenrollment enabled as described in this article: http://social.technet.microsoft.com/wiki/contents/articles/3048.aspx

I also removed the AEDirectoryCache registry entry as described here:  http://technet.microsoft.com/en-us/library/bb456981.aspx#ECAA (For XP, but the registry key removal is still valid for 7)

What I found then is that the AEDirectoryCache registry key was not be recreated when gpupdate /force is run.  There were no event log entries for autoenrollment at all (good or bad).  No Root CAs were downloaded, and I still didn’t get my certificate.

I ran certutil –pulse to force autoenrollment and got the following unusual message…

CertUtil: -pulse command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

That led me to this forum posting: http://social.technet.microsoft.com/Forums/en-SG/winserverDS/thread/5100f13d-f9e6-46fb-a394-76b7f9702c80

The symptoms described there were exactly what I had (though for Vista), so I looked into the resolutions posted.  I couldn’t do the first one, since there were no child tasks.  I’m on to something now…

I copied the entire c:\Windows\System32\Tasks\Microsoft\Windows directory from a good system to the problem system, then went back into Task Scheduler.  Still no child tasks.  I also noticed this time that that Task Scheduler gave me an error about failing to connect to the remote system.  Then it hit me, what if the Task Scheduler service was disabled?  Went to look and found out that the Task Scheduler service DID NOT EXIST!!

I exported the registry key for the service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule) from a good system and imported it to the problem system, rebooted and I now had a running Task Scheduler service again, complete with child tasks.  Also, my root certificates auto-downloaded, and I got my certificate!  Also, certutil –pulse works fine again, and the AEDirectoryCache key was re-created.

So I learned that, somehow, the certificate autoenrollment process in Vista and Windows 7 is connected to the Task Scheduler service.

No comments: