I am using 2008 R2 Certificate Services to issue certs across multiple forests (although don't let that muddy the waters).
I have a need to issue certificates for use with s/ldap, so I have duplicated the Kerberos cert and removed all Intended Purposes other than Server Authentication and configured appropriate security to allow Domain Controllers/Domain Admins to enrol. The certificate also requires CA Manager Approval.
Everything looks good - I am able to enrol for the cert via the MMC, the request goes into pending, and I am then able to issue the cert. However, when I go back into the MMC on the Server that requested the cert and choose All Tasks | Automatically Enrol and Retrieve Certificates, I choose the pending cert and then get Access Denied.
On the issuing Server, I get an Event 21 in the App Log:
Active Directory Certificate Services could not process request 8466 due to an error: Access is denied. 0x80070005 (WIN32: 5). The request was for CN=server.domain.com.
On the Server that requested the cert, I get an Event 9:
Certificate enrollment for Local system was denied by servername\Issuing CA when retrieving the pending request for a SecureLDAPCertificate certificate with request ID 8466.
The strange thing is, if I follow this procedure but using the certsrv website, it works fine and I can install the certificate.
What am I missing? Or is this one of those random quirks of AD CS?
Any help is appreciated.