Known issue

Active Directory Federation Service tries to issue a certificate for the Service Account from the Microsoft® Enrollment Agent profile every 12 hours to check the status of the Certificate Authority in spite of the certificate validity, configured on the Microsoft® Enrollment Agent profile. However, since the default value for Allow duplicate certificates is Disabled for the template, DigiCert Certificate Authority will reject the request, resulting in an error showing up under Windows Event Log (Applications and Services Logs → AD FS → Admin):

Screenshot of Windows Event Viewer Log

Also following CR_DISP_DENIED log entries will appear in AEServer logs for this request:

2022-06-29 11:24:03 INFO  [4916] CBT_CertRequestD2::dispositionFromStatus()[BT_CertRequestD2.cpp:190]:INFO: disposition: 2 (CR_DISP_DENIED - Request denied) req state: RB_FAILED2022-06-29 11:24:03 INFO  [4916] CBT_CertRequestD2::Request2()[BT_CertRequestD2.cpp:980]:INFO: disposition after processNewTransaction: CR_DISP_DENIED - Request denied2022-06-29 11:24:03 INFO  [4916] CBT_CertRequestD2::Request2()[BT_CertRequestD2.cpp:981]:INFO: pdwRequestId -> 1642022-06-29 11:24:03 INFO  [4916] CBT_CertRequestD2::Request2()[BT_CertRequestD2.cpp:1022]:## Request2(): returning 0x0

DigiCert has already reported this issue to Microsoft, but we have come to a conclusion that this error entry will not impact the overall functionality of the Windows Hello for Business.

Even if you Enable the Allow duplicate certificates for Microsoft® Enrollment Agent profile, it will eventually result in the same error after 10 successful certificate issuance. This is due to DigiCert® Trust Lifecycle Manager only allowing 10 duplicate certificate issuance against the same Seat Id even if the profile allows it.