No certificate templates in Certificate Services server on Windows 2019

windows certificate-authority windows-server-2019 ad-certificate-services

There are a lot of discussions on here about this problem, and I have spent all day exploring every one of them. All the servers involved in this are Windows 2019. 2 domain controllers and a certificate authority server. After installing the Certificate Services feature, I then also installed the Web Enrollment stuff. But when I go to my server's enrollment site, I am greeted with this error:

enter image description here

I've chased down several options. I validated permissions via: https://www.altaro.com/hyper-v/windows-ssl-certificate-templates/

I verified LDAP object configurations via: https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/no-certificate-templates-be-found

I verified the configuration from this site: https://docs.microsoft.com/en-us/answers/questions/96739/certificate-template-not-showing.html

I'm running out of options. The template is clearly there: enter image description here

I'm completely out of ideas. I'm frustrated by this. Has anyone got any other ideas?


Oh my. That can be a tough one. After a lot of troubleshooting and cursing about mscersvc, I compiled a "top list" of my solutions. Sorry if you did some of them already.

  • Check and verify https://support.microsoft.com/en-us/kb/811418
  • Ensure security permissions for the templates was set appropriately (check Application Pool Identity)
  • Make sure (without any doubt!) that your AD replication is working fine and that can see your templates on each and every DC (!)
  • Ensure that Supply in the request was selected under the Subject Name tab
  • Created a brand new IIS application pool and assigned the Certsrv directory to it (triple check appropriate permissions). Bind with http only (!)
  • Ensure certificate template compatibility was the same or below the domain and forest functional level (while on 2019 I wouldn't be surprised if not - most domain are on a older FL oder DL)
  • Change the application pool’s identity from ApplicationPoolIdentity to NetworkService (and double check NTFS permissions. This can go strange when Certsvc was set up on a DC, which I would not recommend at all)
  • Check for duplicates and/or decomissioned AD certsvcs (and issuing server name and certificate requests) with ldifde -f check.txt -d "CN=Configuration,DC=<YOURDOM>,DC=<YOURTLD>". When you find a "second" one, hunt it down or remove it's templates completely. Then repadmin /syncall /AdePq (and wait)
  • The (outdated) web console needs Read, Write, Enroll and Auto-enroll permissions to show the template
  • Make sure your CA is using Key Storage Provider (KSP) (and SHA2) wh using 2019 as web frontend

I wish you the best of luck.

Related

Wsl ubuntu virtualhost and hosts file on windows
Are Dell parts compatible with non-Dell hardware? [closed]
how to configure the number of processes BIND uses?
MySQL slow queries log
Antenna connection 3G modems [closed]
reverse proxy http to tomcat
CentOS yum *.rpm package changelog (not installation changelog)
How to inject javascript into Chrome DevTools itself
socket.io and express 4 sessions
How to implement auto suggest using Lucene's new AnalyzingInfixSuggester API?
Google + iPhone API sign in and share without leaving app
Android (Java) Simple Send and receive with Server - Fast Setup Challenge