Wheww!! we finally have the matrix for what works, what doesnt and how to fix it 🙂
The Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000 and in later versions of Windows. However, Xenroll has been deprecated in Windows Vista and in Windows Server 2008. The sample certificate enrollment Web pages that are included with the original release version of Microsoft Windows Server 2003, with Windows Server 2003 Service Pack 1 (SP1), and with Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Vista and Windows Server 2008 perform Web-based certificate enrollment operations.