Domain Controller Authentication Certificate Template Not Available

This is one of the few cases where windows will auto enroll for a certificate without auto enrollment being configured in group policy.

Domain controller authentication certificate template not available. If the domain controller certificate template is not. Certificate template requires multiple 2 or more registration authority ra signatures in the issuance requirements tab. All domain controllers are hard coded to automatically enroll for a certificate based on the domain controller template if it is available for enrollment at a certificate authority in the forest. Sign in to vote.

Certificate template requires private key archival in ca database and ca that supports this template certificate is not presented in the certs kra local store or fails validation check. The non domain member server and the clients that must be able to communicate with it must be configured to use cryptographic certificates based on the x 509 standard. However certificates based on the domain controller and domain controller authentication certificate templates do not include the kdc authentication object identifier oid which was later added to the kerberos rfc. Thanks for your input.

Domain controller windows server 2000 domain controller authentication windows server 2003 kerberos authentication windows server 2008 and above our modern domain controllers can use any one these 3 certificate templates however we really want your dc s to be using the kerberos authentication template. Hard coded in this case means it is in the code it is not configured in any local or domain based policy. It uses radius authentication. Life is short enjoy it now.

We tried to renew it off of a template that was available but it failed with an expiration message. These certificates can be used as an alternate set of credentials. Moved by cicely feng moderator wednesday december 12 2012 9 33 am from directory services tuesday december 11 2012 10 34 pm. The templates are the.

However the device can still participate in the isolated domain by using certificate based authentication. The domain controller authentication template is not published in ad and all options are accessible. After some digging we found in our nps that our certificate had expired. Therefore domain controllers need to request a certificate based on the kerberos authentication certificate template.

After looking at the template i noticed it was issued by one of our domain controllers ca which had also conveniently expired at the same time.