If a user consistently has problems enrolling in advanced security, check the Key Management Server event log for the following entry:
mailbox o=yourOrg, ou=yourSite, cn=recipients, cn=yourAlias has failed being enabled
If this entry appears multiple times in the log, check the event log on the Certificate Server computer for the following entry or a similar entry.
The Certificate Server could not process request 1312 due to an error: 0x8007000d. The request was for CN=yourAlias, CN=recipients, OU=yourSite, O=yourOrg. The certificate would contain an encoded length that is potentially incompatible with older enrollment software. Submit a new request using different length input data for the following field: Extensions.Array.Extension.Value[2] ObjectId=2.5.29.17
To avoid these messages and enroll a user in advanced security, change the length of the display name or the alias of the affected mailbox. This will change the length of the encoding so the Certificate Server can issue the certificate. Another way to avoid these messages is to edit the following registry key entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Certsvc\configuration\%caname%\CertEnrollCompatible
Change the value to zero, which will disable the Certificate Server check. This may cause errors if the certificate is to be used by Microsoft Internet Explorer 3.0 or later.