Resolution

Send data collected in chapters https://veridiumid.atlassian.net/l/cp/pfVex0q1 and https://veridiumid.atlassian.net/l/cp/azzhUUG5 to Veridium support team for analysis.

Certification Authority is not trusted in user domain

You need to export CA Root certificate (name it root.cer) and Issuing CA certificate (name it CA.cer).
Note, in some cases it might be same certificate (than simply export it twice using two different names).

On RA server, Install CA management tools: (Domain admin permissions are required for steps 14-16 )

1. Start Server manager

2. Client Manage->Add Roles and Features

   

3. Click Next on Welcome screen:

   

4. Client Next on Select installation type:

   

5. Client Next on Server selection:

   

6. Client Next on Select Server roles (don’t add/remove anything)

   

7. Select Certification Authority Management Tools and click Next button

   

8. Click “Install” button

   

9. Wait till component is installed and then close window:

   

10. Hit Start menu and execute mmc.exe

    

11. Go to File menu, option Add/Remove Snap-in…

    

12. Select „Enterprise PKI“ on left panel and click „Add“ button. Than click „“ button.

    

13. Make a right-click on Enterprise PKI and click “Manage AD containers”

    

14. Go to “NTAuthCertificates” tab. Add CA.cer certificate there (by clicking “Add” button).

    

15. On your client machine, and on Domain Controller, please execute following command:
    certutil -enterprise -addstore CA.cer NTAuthCA
    Expected response:

    

16. Add CA certificate trust: The best is to introduce GPO to distribute CA root certificate as trusted everywhere. Steps are described on: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy