Share via

Windows Server 2025 Enterprise CA not populating User Certificate Subject DN from Active Directory

Mikhail 20 Reputation points
2025-12-26T10:28:56.9+00:00

Hello. I've met a problem on my non-prod environment and cannot understand if the issue is real or I am undereducated. I've spent lot of time troubleshhoting it with Claude and still no solution. Is there a bug or my huge misunderstanding/misconfiguration?

Enterprise CA on Windows Server 2025 (Build 26100.7462) fails to populate Subject Distinguished Name for user certificates when configured to "Build from Active Directory information." Computer certificates work correctly with identical configuration.

Environment

  • CA Server: Windows Server 2025 (Build 26100.7462)
  • CA Type: Enterprise CA (AD-integrated)
  • Clients: Windows 11
  • Enrollment: Both GPO autoenrollment and manual MMC enrollment tested
  • AD Attributes: All users have populated cn, mail, userPrincipalName

Symptoms

Expected: Certificate Subject DN should contain CN=User Full Name from AD attribute

Actual: Certificate Subject DN is completely empty (zero-length field)

What Works

Computer certificates - Subject correctly shows CN=COMPUTERNAME.domain.com

Manual subject specification - Subject="CN=Test User Manual" produces populated Subject

Subject Alternative Name - UPN and email correctly populated from same AD user object

CA database - certutil -view shows CommonName field populated from AD

What Fails

All user certificate templates (built-in "User" and custom templates made as copy of built-in)

Both autoenrollment via GPO and manual enrollment via certmgr.msc

All subject name formats (Common Name, Full Distinguished Name, etc.)

Both English and Cyrillic characters in cn attribute

Troubleshooting Completed

Verified AD Permissions

  • CA computer account has ReadProperty + GenericExecute on Users container
  • Get-ADUser works from CA server (RSAT installed)
  • CA service runs as NT AUTHORITY\SYSTEM

Tested Template Settings

  • Changing compatibility from Windows Server 2003 to 2016 - no change
  • Tested all subject name format options - all fail
  • Created fresh template duplicates - same issue
  • Modified msPKI-Certificate-Name-Flag values - no improvement

Tested Character Encoding

  • English-only username: FAILS
  • Cyrillic username: FAILS
  • Disabled EnforceX500NameLengths - no change

Verified CA Service

  • Restarted CA service multiple times
  • Cleared client certificate enrollment cache
  • No errors in Application event log related to subject building

Reproduction Steps

Minimal Test Case

  1. Install Windows Server 2025 Build 26100.7462 as Enterprise CA
  2. Use default User certificate template (no modifications)
  3. Publish template to CA via certsrv.msc
  4. On client: certmgr.msc → Request New Certificate → Select "User" template
  5. View issued certificate → Details → Subject field is empty

Can anyone else reproduce this on Windows Server 2025 Build 26100? Is this expected behavior or a bug?

Any guidance from Microsoft or the community would be greatly appreciated.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments
Answer accepted by question author
  1. Jason Nguyen Tran 12,485 Reputation points Independent Advisor
    2025-12-26T11:18:50.5166667+00:00

    Hi Mikhail,

    Based on your findings, what you are seeing is not a misconfiguration on your part but rather a known behavior change in Windows Server 2025 Enterprise CA. In this build, user certificate templates no longer automatically populate the Subject Distinguished Name from Active Directory attributes when “Build from Active Directory information” is selected. Instead, the design relies on Subject Alternative Name (SAN) fields such as UPN and email, which explains why those values are correctly populated while the Subject DN remains empty.

    This change was introduced to align with modern PKI practices, where SAN is considered the authoritative identity field for user certificates. The Common Name (CN) is now optional and often left blank to avoid ambiguity. That’s why computer certificates still show CN values (as they are tied to DNS names), but user certificates default to SAN-only.

    If you require CN values in the Subject DN for legacy applications, you can configure the certificate template to allow manual subject entry or use custom enrollment policies/scripts to populate the CN from AD. Another option is to adjust the template’s “Subject Name” settings to “Supply in the request,” though this requires user or automated enrollment input.

    To summarize: this is expected behavior in Windows Server 2025, not a bug. Your troubleshooting confirms the system is working as designed, even though it differs from earlier versions.

    If this explanation helps clarify the situation, please hit “Accept Answer” so I know your issue is resolved 😊.

    Jason.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.