Assume the following scenario:
- Machines are configured by group policy to request certificates for the remote desktop session host.
- However, the certificates are not applied for.
- In the event log of the affected system, the Event with ID 1064 of source Terminalservices-RemoteConnectionManager logged:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Cause and solution
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Occurs when the clients do not have "Enroll" permission on the certificate template configured by group policy.
The clients' computer objects need the "Enroll" permission on the certificate template configured in the group policy.
It is recommended to work with autoenrollment for Remote Desktop certificates and not via certificate application by the Remote Desktop session host. For more details, see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates„.
Related links:
External sources
- RDP TLS Certificate Deployment Using GPO (Carlos Perez)
English 
Deutsch
One thought on “Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.“”
Comments are closed.