I am running this on Server 2016, domain is 2012r2, client computers are Win10 and Win7.
I have a two-tier PKI infrastructure (offline root) that I recently set up, and I have had no issues with most of the configuration. The issue that I currently have is in regards to the CEP/CES web services.
The intermediate CA is segmented from most of our domain-joined computers, so I cannot use the LDAP enrollment policy to enroll (RPC access to the CA from most of the clients will not be allowed). With that in mind, I created 3rd server where the CRL/AIA information resides, as well as hosting the CEP/CES web services (Kerberos, no key-based renewal). Domain-joined machines can add and validate the enrollment policy server with no problem, but when I try to request a new certificate, the list of templates available is blank. The certificate enrollment dialog shows the message "Certifcate types are not available"
When I use the LDAP-based enrollment policy on those domain-joined computers that have access to the intermediate CA, I see all the templates that I have setup the CA to issue, and can submit enrollment requests for any of them with no problems.
When I configured the CEP web services, I had to intially change the policy ID for the web services as outlined here in section 3c (GUID conflicts with existing GUID when LDAP and CEP…) in order for the clients to validate the enrollment policy server correctly.
I have verified that my test machines, and test users all have read and enroll privileges on all the templates I am expecting to see, I have restarted both the CA and the server hosting the CEP/CES web services.
Any help would be appreciated.
Best Answer
I finally caved and paid for a support incident with Microsoft. They had me uninstall and reinstall the web services, and everything worked like a miracle. We never found the underlying cause.