Intermediate CA: Failed to add computer account to AWS Delegated Enterprise Certificate Authority Administrators

[hammondr]

I am using this quickstart to create a two-tiered CA structure in AWS GovCloud. When trying to use S3 for CRLs, the QS would fail with S3 errors. I wonder if the CF template is able to handle S3 URLs in the GovCloud regions... I have skipped the S3 integration for now but the stack deployment is failing with this error on the intermediate CA:

Getting a Domain Controller to perform actions against
Adding computer account to elevated permission group for install
Failed to add computer account to AWS Delegated Enterprise Certificate Authority Administrators Insufficient access rights to perform the operation
failed to run commands: exit status 1

The CA Admin account (samaccountname: zcaadmin) is in these groups:

The blog did not list all of these groups but I found a github issue that referred to additional groups so I am trying that.

Do you have any recommendations for overcoming the Failed to add computer account to AWS Delegated Enterprise Certificate Authority Administrators error? Thanks!

[hammondr]

The results improved when I added the CA Admin user to the "AWS Delegated Allowed to Authenticate to Domain Controllers" group.

[girvenj]

The AWS Delegated Allowed to Authenticate to Domain Controllers" group is only use for Trusts with Selective Authentication enabled. It does not make sense how that helped in this case.