Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

KB ID 0001029

Problem

Server: Windows Server 2012 R2
Client: Windows 8 Enterprise

I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates.

However nothing was working so I decided to ‘manually enroll’ and this happened;

The Email name is unavailable and cannot be added to the Subject or Subject Alternate name. Denied by Policy Module the request ID is {number}

As I could see it was denied, I went and looked in failed requests, sure enough, here was where my auto enrollment had been failing.

Event ID Logs

A look in the event log on the Certificate Server also gave me this.

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 03/02/2015 13:31:07
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: PETENETLIVEpetelong
Computer: PNLWin800v.petenetlive.com
Description:
Certificate enrollment for PETENETLIVEpetelong failed to enroll for a PNL-User
 certificate with request ID 23 from PNLPKI00v.petenetlive.competenetlive-CA 
(The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name. 0x80094812 (-2146875374)).

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 03/02/2015 13:28:52
Event ID: 6
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PNLWin800v.petenetlive.com
Description:
Automatic certificate enrollment for PETENETLIVEpetelong failed (0x80094812) 
The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name.

Solution

The certificate template I was using needed the following option removing (WARNING: Don’t do this if you are going to use these certs to sign emails – I was not). I also removed the include E-mail name option below.

Or (as a quick fix -I was on my test network with one user) I simply gave that user an entry in their Email field in Active Directory.

Another Option: Give all users an email address using PowerShell, see the following article;

PowerShell – Update All Domain Users With Email Address From UPN

Related Articles, References, Credits, or External Links

NA