I'm trying to setup cert request/renewal though CEP/CES in a 2008 R2 domain. We have one root domain (where the CA/subordinate CA are), and two child domains. One of the child domains is in the same site as the root domain, and all clients have full RPC connectivity to the CA's. There are no problems in this domain.
The other child domain is connected to the root via IPSEC, and is in a seperate site. Only the DC's in this domain have connectivity to the root for replication/auth purposes, and the clients have no RPC connection.
I want to allow auto-enrollment of certs to work, as well as manual requests via the cert mmc snapin from clients in this domain. We've been using the old certsrv web server proxy, and this works ok for manual user requests, but I needed a way to allow automatic enrollment to work.
I've setup both the CEP/CES roles on a DC in this domain, using Windows Integration for authentication. I've actually followed the full MS dochere on setting this up, and from what I can tell everything is configured ok, but I have these specific problems;
1. If a client tries to request a new cert through the mmc snapin, stepping through the wizard, I can see the correct certificate enrollment policy listed, but when I click Next, there's a long pause before I get the message "Enrollment error: The specified domain either does not exist or could not be contacted".
2. If I try to renew an existing certificate, then after a pause, I can see the correct cert template with a status of Available, and I can enroll it ok.
Reading the setup doc, although it states that should shouldn't need to set an SPN for an account if you have CEP/CES on the same server, others have said that it still won't work without it, so I did this extra step, specifying a resource account in the same domain to act as the delegate. Again, this looks ok in the config, but doesn't fix the problem.
Before anyone asks, we have to have clients in this domain for security reasons, and it's not an option to give them RPC access directly to the root domain certificate servers, and these are all domain joined clients.