j1745

Here's my EnrollmentService.log: [3, PID:7248][05/02/2013 16:13:45] :EnrollmentService application start ... [7, PID:7248][05/02/2013 16:13:47] :WindowsIdentity is created for domain: [Domain] user: [user] [7, PID:7248][05/02/2013 16:13:47] :validated user credentials [7, PID:7248][05/02/2013 16:13:47] :Handling RequestSecurityToken [7, PID:7248][05/02/2013 16:13:47] :claim identity name: [Domain\User] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777217 [7, PID:7248][05/02/2013 16:13:47] :EnrollmentServiceProfile: GetDBCAs retrieved Template information: [7, PID:7248][05/02/2013 16:13:47] :Template: CM12ClientCert [7, PID:7248][05/02/2013 16:13:47] :CA: System.Collections.Generic.List`1[system.String] [7, PID:7248][05/02/2013 16:13:47] :The CA [CA] is in forest [Domain] [7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [user] [7, PID:7248][05/02/2013 16:13:47] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains count: 1 [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Subject name: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Issuer Name: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains 1 thumprint: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Got root CA hash: [...] [7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [Domain\User] [7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: Start [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: Start, Result: Succeed [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: AuthenticationApproved [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: CertNotInADAccount [7, PID:7248][05/02/2013 16:13:48] :Impersonating caller: [Domain\User] [7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:48] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE [7, PID:7248][05/02/2013 16:13:48] :CALayer: SubmitRequest CA: [CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2 [7, PID:7248][05/02/2013 16:13:48] :Only one CA is specified in profile. Failed to enroll with the specified CA: [CA] [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed [7, PID:7248][05/02/2013 16:13:48] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest) at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute() at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action) at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest) at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest) [7, PID:7248][05/02/2013 16:13:48] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert

Paul, can you post details about the firewall changes you had to make? My IT department here is segmented such that I don't have direct access to the firewall on the CA, so I want to send them a ticket with instructions. Thanks.