Have you seen this? http://support.microsoft.com/kb/947237
Since you're working with a child domain you might have to adjust the groups a bit, but it looks like your error. From: Okan Bostan [mailto:[email protected]] Sent: Thursday, April 22, 2010 4:35 AM To: NT System Admin Issues Subject: Certificate AutoEnrollment issue Hi list, I have a question about Certificate AutoEnrollment cross child domains. In our Public CA (Server 2003) we prepare the cert template and assign autoenrollment security rights for the domain computers. Also give the GPO rights mentioned : http://technet.microsoft.com/en-us/library/cc739637(WS.10).aspx Our enviroment is: Forest: test.com. The CA is in child domain c.test.com all "C" domain computers can successfully get the certificate, and so the autoenrollment setings are OK. But the other computers(vista x86 clients) in child forest b.test.com, cannot autoenroll the cert, giving the error: [cid:[email protected]] Also I found this link<http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx> and try all the solution ways (DCOM), still no luck. This link<http://support.microsoft.com/?scid=kb;en-us;939882&x=7&y=9> also got no solution. In all scenarios I can manually enroll the cert. There is no access list or firewall between client and CA. Any suggestion about the problem? Thanks. Okan Bostan Istanbul Technical University IT Center ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<inline: image001.png>>
