Domain Controllers – How to Prevent Domain Controllers from Enrolling a Kerberos Authentication Certificate

There can be two inputs for this issue:

Part 1: Template supercedence

In certificate template settings (certtmpl.msc), there is Superseded Templates tab, where you can specify a list of templates that are superseded by current template. This setting is used only by certificate autoenrollment feature.

During autoenrollment, client examines every template and checks if current template is listed as *superseded* in any other template. If it is listed, then current template is skipped. This behavior is defined in [MS-CAESO] protocol specifications, §4.4.5.6.1:

4.4.5.6.1 Determine if a CertificateTemplate Instance is Valid for Autoenrollment If any conditions in the following list are true, autoenrollment SHOULD NOT process a new enrollment for the specific CertificateTemplate instance

<...> skipped for brevity

• There exists an instance of CertificateTemplate in the CertificateEnrollmentPolicy.Templates list whose CertificateTemplate.SupersededTemplates list contains a value equal to the current CertificateTemplate.CommonName

Note: In 2014, [MS-CAESO] document was retired and its content was moved to a number of other protocols specs and I haven't tried to track this move. Given that nothing was changed since then, you can use an archived PDF copy of the document: Archived [MS-CAESO] PDF copy.

This answers first half of question: why allowed for autoenrollment template is not autoenrolled. Thus, check if neither of templates is configured to supersede Domain Controller Authentication template. If there is such, remove it from superseded list.

And check if Domain Controller Authentication is added for issuance to CA that is enabled for web enrollment.

Part 2: MS-XCEP Cache

When clients use certificate enrollment web services (Microsoft CEP/CES), they do following:

1. Connect to enrollment policy service (CEP) and request policy.
2. CEP authenticates the client and reads all certificate templates from Active Directory where authenticated entity has at least Read permissions.
3. CEP contacts CAs to get the list of templates allowed by each CA and constructs response as specified in [MS-XCEP] §3.1.4.1.3.23

Response message has nextUpdateHours which is:

An integer representing the number of hours that the server recommends the client wait before submitting another GetPolicies message.

Default value is 8 hours. Client caches this response and may not attempt to request new policy with updated template list for this period of time. Although, there is boolean policiesNotChanged field which can be used by clients to poll for changes, but from practice I can tell that clients do not perform polling. Instead, they use this bit to determine if cached policy should be replaced or not. This is just my opinion, because any changes in policy have big latency on clients.

Either, wait for at least 8 hours and see if the issue is resolved automatically when clients fetch new policy from CEP server or try to force policy retrieval:

Delete all contents from %systemdrive%\ProgramData\Microsoft\Windows\X509Enrollment on target computer (DC) and then run

certutil -pulse

to trigger autoenrollment. During this call, a new policy will be downloaded and autoenrollment should pick up the correct template.