Resources for IT Professionals >
論壇首頁
>
Security
>
Multiple enterprise subordinate CAs in one domain
Multiple enterprise subordinate CAs in one domain
- Lets imagine that i have following pki stucture – one root ca (standalone) and two enterprise Cas. One of these enterprise ca‘s has domain controller authentication template published and the other doesn‘t. As you may now domain controllers autoenroll certificates according this template from time to time. So my question would be – will domain controller be able to find correct CA in AD with domain controller authentication template enabled and will it be able to autoenroll certificate? I affraid that it can stuck on CA with this template disabled and fail with autoenrollment L Thanks.
解答
- No, the domain controller will find the CA with the template published and will be able to enroll against the template.
Paul Adare CTO IdentIT Inc. ILM MVP- 已提議為解答Vadims PodansMVPTuesday, 17 November, 2009 10:16
- 已標示為解答Mervyn ZhangMSFT, 版主Wednesday, 18 November, 2009 9:53
- Hi,
As Paul answered, DC will find correct CA to request certificates.
For your information, the Autoenrollment Process:
1. The autoenrollment process downloads certificate templates from the forest and caches the list in the registry at the same time.
2. The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user.
3. Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.
How Autoenrollment Works
http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- 已標示為解答Mervyn ZhangMSFT, 版主Thursday, 26 November, 2009 5:10
所有回覆
- No, the domain controller will find the CA with the template published and will be able to enroll against the template.
Paul Adare CTO IdentIT Inc. ILM MVP- 已提議為解答Vadims PodansMVPTuesday, 17 November, 2009 10:16
- 已標示為解答Mervyn ZhangMSFT, 版主Wednesday, 18 November, 2009 9:53
- Hi,
As Paul answered, DC will find correct CA to request certificates.
For your information, the Autoenrollment Process:
1. The autoenrollment process downloads certificate templates from the forest and caches the list in the registry at the same time.
2. The autoenrollment process will then process the list of templates and create a requirements list for any templates that have an autoenroll access control entry (ACE) set on the template for the current machine or user.
3. Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certification Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate.
How Autoenrollment Works
http://technet.microsoft.com/en-us/library/cc787781(WS.10).aspx
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- 已標示為解答Mervyn ZhangMSFT, 版主Thursday, 26 November, 2009 5:10
- Hi,
Do you need any other assistance? If there is anything we can do for you, please let us know.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.
