diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx
index 874627307e..83ce889f64 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx
@@ -30,6 +30,15 @@ const LinuxAbuse: FC = () => {
'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local'
}
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+ not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+ 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+ be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+ attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+ default.
+
Step 2: Request a ticket granting ticket (TGT) from the domain, specifying the certificate
created in Step 1 and the IP of a domain controller:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
index 12e36054d6..296249a25f 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
@@ -30,6 +30,15 @@ const WindowsAbuse: FC = () => {
'.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
}
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+ not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+ 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+ be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+ attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+ default.
+
Step 2: Convert the emitted certificate to PFX format:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx
index 275e0334c2..2c91fa3bf5 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx
@@ -33,6 +33,15 @@ const LinuxAbuse: FC = () => {
'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local'
}
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+ not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+ 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+ be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+ attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+ default.
+
Step 2:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
index a9b6f1bef5..0d81e85a18 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
@@ -33,6 +33,15 @@ const WindowsAbuse: FC = () => {
'.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
}
+
+ If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+ cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+ not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+ 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+ be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+ attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+ default.
+
Step 2: