Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

KB ID 0001029

Problem

Server: Windows Server 2012 R2
Client: Windows 8 Enterprise

I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates.

However nothing was working so I decided to ‘manually enroll’ and this happened;

The Email name is unavailable and cannot be added to the Subject or Subject Alternate name. Denied by Policy Module the request ID is {number}

As I could see it was denied, I went and looked in failed requests, sure enough, here was where my auto enrollment had been failing.

Event ID Logs

A look in the event log on the Certificate Server also gave me this.

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 03/02/2015 13:31:07
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: PETENETLIVEpetelong
Computer: PNLWin800v.petenetlive.com
Description:
Certificate enrollment for PETENETLIVEpetelong failed to enroll for a PNL-User
 certificate with request ID 23 from PNLPKI00v.petenetlive.competenetlive-CA 
(The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name. 0x80094812 (-2146875374)).

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 03/02/2015 13:28:52
Event ID: 6
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PNLWin800v.petenetlive.com
Description:
Automatic certificate enrollment for PETENETLIVEpetelong failed (0x80094812) 
The EMail name is unavailable and cannot be added to the Subject or Subject 
Alternate name.

Solution

The certificate template I was using needed the following option removing (WARNING: Don’t do this if you are going to use these certs to sign emails – I was not). I also removed the include E-mail name option below.

Or (as a quick fix -I was on my test network with one user) I simply gave that user an entry in their Email field in Active Directory.

Another Option: Give all users an email address using PowerShell, see the following article;

PowerShell – Update All Domain Users With Email Address From UPN

Related Articles, References, Credits, or External Links

NA

Event ID 29

KB ID 0001032 

Problem

Seen on a Microsoft Certificate Services server running NDES.

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: 04/02/2015 11:22:26
Event ID: 29
Task Category: None
Level: Error
Keywords:
User: PETENETLIVESVC_NDES
Computer: PNLPKI00v.petenetlive.com
Description:
The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.

Solution

I got this error every time a network device tried to enroll with the NDES server. You are seeing this error because the NDES server is expecting the password that generated by visiting this url http://{hostname-of-NDES-Server}/Certsrv.mscep_admin.

Normally I disable the password requirement when I build NDES, this time I’d simply forgotten. To disable the password requirement, follow this process.

Related Articles, References, Credits, or External Links

NA

Event ID 128 – Certification Authority

KB ID 0001033 

Problem

Seen in the application log of a Windows Certificate Services server (Server 2012 R2)

[box]Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 07/02/2015 15:55:26
Event ID: 128
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: PNLPKI00v.petenetlive.com
Description:
An Authority Key Identifier was passed as part of the certificate request 29. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg caUseDefinedCACertInRequest 1" and then restart the service.[/box]

Solution

The event is pretty much telling you exactly what to do to fix it! Open an elevated command prompt and enter the following commands;

[box]

certutil -setreg caUseDefinedCACertInRequest 1
net stop CertSvc
net start CertSvc

[/box]

Or you can simply open the registry editor and navigate to;

[box]HKLM > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {your-server-name}[/box]

Change UserDefinedCACertInRequest and change its value to 1 (one). then restart the certificate services service.

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 1 (How to Configure Microsoft Certificate Services for AnyConnect)

KB ID 0001030 

Problem

I’ve done a lot of AnyConnect deployments, and I’ve even done them with certificates in the past. I’ve seen plenty of articles and blogs that say ‘It would be better to use a PKI deployment like Microsoft Certificate Services’, but there’s very little info out there on how to set it up.

I have a client that was going to deploy Microsoft Direct Access, but due to unforeseen circumstances has changed their requirements and wants to use AnyConnect instead, (with the following requirements).

  • The connection should be ‘always on’ for their remote clients.
  • It should use certificate based authentication that would use their existing PKI deployment.
  • They should be able to control the remote clients from their corporate location (if required).
  • They should be able to roll out the software using Microsoft SCCM.

So I disappeared with an ESXi server, a spare firewall, and a large mug of coffee.

Solution

I am going to send out both user and computer certificates, and I’m going to get the machines to ‘Autoenroll’ for the certificates with group policy. (You could just use ‘User’ certificates, but that would be too easy).

1. Remember certificates are time specific, make sure your Windows domain is keeping good time, I’ve written about this before, but to cut a long story short carry out the following on your PDC emulator at an elevated command prompt.

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync

[/box]

2. I’m assuming you have certificate services setup and have certificates setup for computers and users, if not see Installing Microsoft Certificate Services. Ensure you have templates published and they are configured correctly, like so;

User Certificate Template

Computer Certificate Template

3. Publish the Certificates.

4. Set up a Group Policy for Certificate Auto-enrolment.

5. For User certificate auto-enrollment go to:

[box]

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

6. For Computer certificate auto-enrollment go to:

[box]

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

7. Ensure your target machines have their certificates,(user and computer).

***OPTIONAL STEP***

I’m using NDES to put the certificates on my Cisco ASA, and I want to use that same certificate on the ‘outside’ interface of my ASA. Now I could just manually get
a cert by creating a CSR and giving that to my certificate authority. Then use the ‘Web Server’ template and everything would be peachy. However I want NDES to do ‘EVERYTHING’ for me so I need to make a change to the certificate that NDES uses, (by default ‘IPSEC (Offline request)’). I need to add in the ‘Server Authentication’ Key usage, or when I enable the cert on the outside interface I will get an error. To that end, I need to create a new certificate template, and then get NDES to use that template instead.

1. Open the Certification Authority management console > Right click Certificate Templates > Manage.

2. Locate ‘IPSEC (Offline request)’ template and clone it.

3. Give the cert a name (in the ‘template name’ section leave no spaces or special characters). Then copy the template name to notepad, (you’ll find out why in a minute).

4. Extensions Tab > Application Policies > Edit.

5. Add > Locate and add ‘Server Authentication’ > OK > OK.

6. If you had NDES set up correctly your NDES service account should have enroll rights to this template already, but check to be on the safe side.

7. Save and publish the new template.

8. Remove the original IPSEC (Offline request) template.

9. To get NDES to use the new template you need to edit three registry values. Open ‘regedit’ an navigate to;

[box]HKLM > Software > Microsoft > Cryptography > MSCEP[/box]

Change the following keys to the new template name;

  • EncryptionTemplate
  • GeneralPurposeTemplate
  • SignatureTemplate

10. At this point you need to restart IIS, though in my case I just rebooted the server.

 

Related Articles, References, Credits, or External Links

In Part 2 – We will configure the ASA and AnyConnect.