Managing Auto Enrollment Proxy Settings - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

support.microsoft.com/kb/892777, which includes LDP (an LDAP browser) and DCDIAG (used for
diagnosing domain controller, and DNS problems). Two monitoring tools, filemon and regmon, are
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Regmon.ms
available at
are extremely useful for monitoring and troubleshooting registry and file issues, which can help with
analyzing the auto enrollment process.
Kerberos Authentication
Auto enrollment uses Microsoft's Kerberos mechanisms to authenticate users, servers, and requests.
Make sure that Kerberos, not NTLM, is being used to authenticate entities (this is visible in the Event
Viewer security logs). The kerbtray.exe tool can be used to purge Kerberos tickets if NTLM is
being used instead of Kerberos.
dcdiag and Replication
If dcdiag shows that there are replication problems, create new replication agreements.
The certificate request failed...
One common error message when generating a certificate using the Microsoft Management Console
is The certificate request failed because of one of the following conditions...
If this error occurs when the Microsoft Management Console request wizard is first opened, then it
means that the console could not connect to the enrollment service, and there are a couple of different
possible reasons:
• The hostname in enrollment services is incorrect. Use LDP to view the enrollment service in Active
Directory for the proxy, and verify the dNSHostName attribute. This value is automatically populated
when the proxy is first configured.
• The proxy host is unreachable. Try to ping the above hostname to make sure DNS resolves the
hostname to an IP address correctly, and that the host is online.
• The proxy service is not running. The proxy is a registered service. It is stopped by default, but
Windows should automatically start the service when a certificate request is entered. Check Task
Manager to see if the rhcsproxy.exe process is running or check the Services page to restart the
service.
• If the proxy is installed on another machine or another domain, then the DCOM or domain
configuration may not be allowing the host to contact the proxy service.
If the request failed error occurs after going through the request wizard, then the console was able
to connect to the proxy and generate a request, but the proxy did not return a certificate. Check the
Event Viewer application log on the system that is running the proxy to see what errors were recorded.

4.6.3. Managing Auto Enrollment Proxy Settings

The Auto Enrollment proxy is configured in a central Active Directory entry and in the Windows registry
of the host where it is installed. These configuration entries can be viewed and, to some extent, edited
to redefine the proxy service.
Managing Auto Enrollment Proxy Settings
and
109