Windows 2012 PKI Issuing Subordinate CA question

-

hello all,

i have question implementing 802.11x wireless authentication using client computer certificates in 2 tier pki environment. have 1 root offline ca ,  multiple issuing subordinate ca's @ each site location.  is there way publish/deploy site specific computer templates ?  the way see now,  is if issuing ca's publish version of computer templates , each client computer in our domain end getting multiple computer certs issued each ca in personal certificates store. 

how can have issuing ca of site issue certs computers physically located in site a.  auto-enroll publish computers domain wide.  is manual enroll way out ?  i don't see gpo setting can leverage deploy personal client computer certificates , bind specific ou.

thanks

neeraj

 

> way see now,  is if issuing ca's publish version of computer templates , each client computer in our domain end getting multiple computer certs issued each ca in personal certificates store.

yep. , can't stick client local site ca. cas registered in active directory , discoverable forest member. , if multiple templates (on different cas) are available particular user , autoenrollment enabled, client contact cas required certificates.

> manual enroll way out ?

no, not way out. client able manually request certificates cas.

> don't see gpo setting can leverage deploy personal client computer certificates , bind specific ou.

you may need create security group ou , designate certificate template group. however, have track group membership, when users moved between ous.

vadims podāns, aka powershell cryptoguy
weblog: en-us.sysadmins.lv
powershell pki module: pspki.codeplex.com
powershell cmdlet editor pscmdlethelpeditor.codeplex.com
check out new: ssl certificate verifier
check out new: powershell file checksum integrity verifier tool.



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Microsoft-Windows-CAPI2 Access Denied Event ID 4110 error

-
hi team, i need help! have install symantec application windows server 2008 r2 workspace , i'm running error message , on event viewer this.: xml view.: - <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <system>   <provider name="microsoft-windows-capi2" guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" eventsourcename="microsoft-windows-capi2" />    <eventid qualifiers="0">4110</eventid>    <version>0</version>    <level>2</level>    <task>0</task>    <opcode>0</opcode>    <keywords>0x8080000000000000</keywords>    <timecreated systemtime="2016-06-20t07:17:05.960875000z" />    <eventrecordid>1491095</eventrecordid>    <correlation />    <execution processid="284" threadid="5460" />    <channel>application</channel> 
Read more

Sospecha de accesos indebidos

-
buen día. desde hace algún tiempo en el lugar donde laboró se viene presentando un inconveniente o es una sospecha de nosotros, lo que sucede es que en el visor de eventos de un ws 2012 r2, encontramos lo siguiente el historial de accesos en el subárbol \??\c:\users\usuariodominio\ntuser.dat se borró mediante la actualización de 426 claves y la creación de 28 páginas modificadas. en esa ubicación c:\users\ encontramos la carpeta del perfil creada.  pero no logrado encontrar algún tipo de información en la cual pueda atacar este incidente. igualmente en los equipos tengo un firewall perimetral de una marca reconocida incluyendo antivirus, entre las funcionalidades del firewall tengo detector de intrusos. por lo cual no se si puede ser alguna aplicación que lo haga. pero pues el único registro que encuentro es con el que me referí antes. dicho servidor me sincroniza mi ad con office 365. pero esto se vino presentando desde hace un tiempo para aca. muchas gracias p
Read more

AD Replication Failure Between Server 2008 R2 and Server 2003 - LDAP bind failed with error 8341

-
Image
hello, i adopted rather messy network previous engineer.  have 2008 r2 domain controller cannot replicate 2003 domain controller.  2003 pdce,  holding fsmo roles. both servers dns servers. as can see below, replication has not occurred in 3 months.  has become large issue workstations on network, exchange server. please note believe have done job of making sure there not duplicate dns entries either dc2003 or dc2008r2 on either server. thank can give. issues encountered while running commands from dc2008r2 : - when browse \\dc2003 dc2008r2 receive error: logon failure: account name incorrect. - when run dcdiag /test:dns i receive following initial error: performing initial setup:    trying find home server...    home server = dc2008r2    * identified ad forest.    [dc2003] ldap bind failed error 8341,    directory service error has occurred..    got error while checking if dc using frs or dfsr. error:    directory service error has occurred.the
Read more