KB ID 0001029
Problem
Server: Windows Server 2012 R2
Client: Windows 8 Enterprise
I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates.
However nothing was working so I decided to ‘manually enroll’ and this happened;
The Email name is unavailable and cannot be added to the Subject or Subject Alternate name. Denied by Policy Module the request ID is {number}
As I could see it was denied, I went and looked in failed requests, sure enough, here was where my auto enrollment had been failing.
Event ID Logs
A look in the event log on the Certificate Server also gave me this.
Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 03/02/2015 13:31:07 Event ID: 13 Task Category: None Level: Error Keywords: Classic User: PETENETLIVEpetelong Computer: PNLWin800v.petenetlive.com Description: Certificate enrollment for PETENETLIVEpetelong failed to enroll for a PNL-User certificate with request ID 23 from PNLPKI00v.petenetlive.competenetlive-CA (The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812 (-2146875374)).
Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment Date: 03/02/2015 13:28:52 Event ID: 6 Task Category: None Level: Error Keywords: Classic User: N/A Computer: PNLWin800v.petenetlive.com Description: Automatic certificate enrollment for PETENETLIVEpetelong failed (0x80094812) The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name.
Solution
The certificate template I was using needed the following option removing (WARNING: Don’t do this if you are going to use these certs to sign emails – I was not). I also removed the include E-mail name option below.
Or (as a quick fix -I was on my test network with one user) I simply gave that user an entry in their Email field in Active Directory.
Another Option: Give all users an email address using PowerShell, see the following article;
PowerShell – Update All Domain Users With Email Address From UPN
Related Articles, References, Credits, or External Links
NA