Trying to get a new wireless EAP system working with 2008R2 CA auto-enrolment. We're stuck between two methods;
The auto-enrol certificate template is set to build the subject name from active directory.
- If we have 'include e-mail name in the subject name' ticked then the certificate that is generated works with the wireless. BUT it means that there are hundreds of failed template requests on the CA every day from users that don't have email accounts and therefore no e-mail name to include.
- If we have that un-ticked then it solves the problem of having hundreds of failed certificate attempts every day but the certificate generated isn't sufficient to use for wireless and the windows clients cannot connect, instead showing a message that a certificate could not be found.
Everything I could find suggests the only thing in there that we need to have for the certificate to be valid is the UPN in the Subject Alternative Name, but this IS ticked (under 'Include this information in alternate subject name' on the template properties). So I'm confused about why these certificates are not valid without an email address rather than a UPN.
Could anyone help figure this out please?