In a multiforest environment I've set up a PKI with a single offline root and a failover clustered issuing enterprise CA in a resource forest. The idea is to use that PKI to issue certificates to computers and users in the other forests. To this end I've
also set up a couple of webservers running the Certificate Authority Web Services and made it all work together. I can manually request certificates from the PKI from another forest succesfully using kerberos authentication (they trust eachother).
However, now I need to go the next step and have the certificates autoenrolled. So I made sure all the autoenroll settings I need are pushed to the clients with a GPO and the template I want to enroll has the autoenroll permissions set to the accounts I want to autoenroll to (same template I just succesfully enrolled manually). So far so good. Except the certificates don't autoenroll.
I think I either forgot something, or autoenrollment through the web services simply doesn't work as I think it should. What did I miss?