locked
Clients are getting wrong "issued to" Certs from NAP CA RRS feed

  • Question

  • I just setup a demo lab using the Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab.

    Everything setup pretty well with on major exception. I am noticing the test client is getting 2 certs. One is "issued to" vm-6999-30.test.local, "Issued by" test-VM-Nap-1-CA and the other cert is "Issued to" VM-NAP-1.test.local "Issued by" test-VM-NAP-1-CA.
    Both Certs have the "Intended Purposes" of System Health Authority and Client Authentication.

    If I force the machine to be "unhealthy" only the second VM-NAP-1.test.local cert is removed. Then a new cert is issued when the machine is healthy again.

    As well the test-VM-Nap-1-CA cert was issued at an odd time of 12:30ish AM. Defiantly not at a time I was doing nap testing.

    Why would the client be getting certs in this manner?


    Tech with Alberta Education
    Friday, March 4, 2011 6:31 PM

Answers

  • Hi,

    Check the certificate validity period and also check the HRA events. The one that isn't getting deleted was probably not requested by the HRA, but rather was issued directly by the CA via autoenrollment. This is how NAP exemption certificates are issued. Exemption certs will have a long validity period (1 year) as opposed to the 4-24 hour validity period typical of a NAP health certificate.

    Is the name of your HRA vm-6999-30.test.local? If so, then you can fix the "issued to" problem by following step 13 here: http://technet.microsoft.com/en-us/library/dd314164(WS.10).aspx. Since this setting also prevents autoenrollment, I think it will prevent the client from getting two certificates from the same CA. You will need to manually delete the current certificate, but after changing this setting the client *should* get just the one cert.

    -Greg

    Saturday, March 5, 2011 6:10 AM
  • Hi

    What was the certificate validity period that you found for both certificates? Also, what did the HRA events tell you?

    It sounds like you are issuing health certificates from the Root CA, which is an enterprise CA - either that or you are issuing certificates from both CAs. The step by step guide uses just a standalone, subordinate CA. You can use an enterprise CA, but you will have to change some of the settings. You must have already changed some of these on your own.

    Remember that the HRA requests a certificate on behalf of the client computer. The client does not talk directly to the CA. What step 13 does is allow the "issued to" name to be carried through from the client. If you don't do this step, then even though the client will have a certificate, the "issued to" field will be the name of the HRA, since it was the one that requested the certificate.

    So your HRA is VM-NAP-1.test.local then. The reason why the certificate on your client says it was issued to this machine is what I described above.

    As for the client receiving two certificates, you need to look at the HRA and see if it requested both of these. I doubt that it did. The fact that this second certificate says it was issued to the client tells me that it didn't go through the HRA. You can probably also see the event on the CA that should confirm this. The CA should have issued one certificate to the HRA and another to the client.

    Autoenrollment is tricky. If you don't have security settings to prevent it, your client can easily autoenroll.

    See step 8 here: http://technet.microsoft.com/en-us/library/dd314164(WS.10).aspx:

    "To ensure that noncompliant domain member computers cannot manually enroll with health certificates, click the Security tab, click Domain Computers, and clear the check box under Allow for the Enroll permission. HRA will issue certificate requests on behalf of these computers if they are compliant with health requirements."

    I recall a change that occurred somewhere between 2003 and 2008 where allowing Enroll meant that Autoenroll was automatically allowed. This might be part of the problem. Just make sure that your domain computers do not have permission to Enroll or Autoenroll for this certificate template - then be sure to delete the existing certificate, which I bet has a 1 year validity period.

    Some of these details aren't in the step by step guide because it uses a standalone CA that is subordinate to the root (enterprise) CA. If you deviate from this setup and use the root CA to issue health certificates, then you will run into a few minor problems.

    Tuesday, March 8, 2011 10:22 PM

All replies

  • Hi,

    Check the certificate validity period and also check the HRA events. The one that isn't getting deleted was probably not requested by the HRA, but rather was issued directly by the CA via autoenrollment. This is how NAP exemption certificates are issued. Exemption certs will have a long validity period (1 year) as opposed to the 4-24 hour validity period typical of a NAP health certificate.

    Is the name of your HRA vm-6999-30.test.local? If so, then you can fix the "issued to" problem by following step 13 here: http://technet.microsoft.com/en-us/library/dd314164(WS.10).aspx. Since this setting also prevents autoenrollment, I think it will prevent the client from getting two certificates from the same CA. You will need to manually delete the current certificate, but after changing this setting the client *should* get just the one cert.

    -Greg

    Saturday, March 5, 2011 6:10 AM
  • i took a look at the things you suggested and cant see that anything is wrong with the setup.

    vm-6999-30.test.local is one of the test machines. none of the test machines are in a group that had auto enrollment setup. Only the vm-NAP-1 server is in the nap exemption group which is setup for autoenrollment for the Health Service Certificate.

    12. If this certificate template will be used to issue NAP exemption certificates, click the Security tab, click Add, type IPsec NAP Exemption, and then click OK. Click IPsec NAP Exemption, click the Allow check boxes next to Enroll and Autoenroll, and then click OK.

    the above step is what I would need as I would use a setup like this to exempt large numbers of servers.

    13. If this certificate template will not be used to issue NAP exemption certificates, click the Subject Name tab, select Supply in the request, click OK, and then click OK again. This setting provides the correct client name in issued certificates, but is not compatible with autoenrollment.

    What does this step accomplish?

    My understanding is the HRA requests a cert based on the template selected in the "certification Authority" settings.


    Tech with Alberta Education
    Tuesday, March 8, 2011 9:28 PM
  • Hi

    What was the certificate validity period that you found for both certificates? Also, what did the HRA events tell you?

    It sounds like you are issuing health certificates from the Root CA, which is an enterprise CA - either that or you are issuing certificates from both CAs. The step by step guide uses just a standalone, subordinate CA. You can use an enterprise CA, but you will have to change some of the settings. You must have already changed some of these on your own.

    Remember that the HRA requests a certificate on behalf of the client computer. The client does not talk directly to the CA. What step 13 does is allow the "issued to" name to be carried through from the client. If you don't do this step, then even though the client will have a certificate, the "issued to" field will be the name of the HRA, since it was the one that requested the certificate.

    So your HRA is VM-NAP-1.test.local then. The reason why the certificate on your client says it was issued to this machine is what I described above.

    As for the client receiving two certificates, you need to look at the HRA and see if it requested both of these. I doubt that it did. The fact that this second certificate says it was issued to the client tells me that it didn't go through the HRA. You can probably also see the event on the CA that should confirm this. The CA should have issued one certificate to the HRA and another to the client.

    Autoenrollment is tricky. If you don't have security settings to prevent it, your client can easily autoenroll.

    See step 8 here: http://technet.microsoft.com/en-us/library/dd314164(WS.10).aspx:

    "To ensure that noncompliant domain member computers cannot manually enroll with health certificates, click the Security tab, click Domain Computers, and clear the check box under Allow for the Enroll permission. HRA will issue certificate requests on behalf of these computers if they are compliant with health requirements."

    I recall a change that occurred somewhere between 2003 and 2008 where allowing Enroll meant that Autoenroll was automatically allowed. This might be part of the problem. Just make sure that your domain computers do not have permission to Enroll or Autoenroll for this certificate template - then be sure to delete the existing certificate, which I bet has a 1 year validity period.

    Some of these details aren't in the step by step guide because it uses a standalone CA that is subordinate to the root (enterprise) CA. If you deviate from this setup and use the root CA to issue health certificates, then you will run into a few minor problems.

    Tuesday, March 8, 2011 10:22 PM