Jump to content
  • 0

Citrix_RegistrationAuthority_ManualAuthorization autoenrollment

Jeroen Blosser


Hi all,


I have a working environment with the Federated Authentication Services. We also have autoenrollment of certificates set in de Default Domain GPO.


Our workstations are now trying to autoenroll the Citrix_RegistrationAuthority_ManualAuthorization certificate. I already removed the Domain Computers from the security tab, and added the FAS servers with enroll and autoenroll checked. The rest I left default.


CREATOR OWNER, SYSTEM and Domain Admins have all boxes checked. Authenticated Users only the read box.


What are the correct security settings for this template to prevent autoenrollment from the workstations?




Link to comment

4 answers to this question

Recommended Posts

  • 1

If anyone is struggling with this, check out this page: https://support.citrix.com/article/CTX237503


Turns out that permissions were set incorrectly on the templates created by older versions of FAS.   Domain computers were given the ability to Enroll, and this will cause a hwole lote of invalid requests.


After you correct the template, you're probably stuck with a bunch of pending requests and it's going to be almost impossible to clean them up manually.  You can do it from a command line, but it might get rid of more than what you want so be careful:


certutil -deleterow <date> request


This will tell certutil to delete all REQUESTs in the Pending Request container up to the value you entered in <date>.  The format of <date> will be based on your regional settings, but you should be able to match it with the format in the console.  


Be careful with this command -- it can be dangerous!  Make sure you read up on it before running it so you know what you're doing.

  • Like 1
Link to comment
  • 0

So... What do we do if our machines are all trying to enroll in this ManualAuthorization even though the permissions don't include Domain Computers? We do have a GPO set to auto enroll in a Computer certificate. The ManualAuthorization cert is a computer certificate, so I'm not sure how to auto enroll our machines in a Computer certificate, but not this one.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...