PKI and Direct Access machine Cert RRS feed

  • Question

  • Hi, My setup is as follows. 


    -Offline root CA(Root1-ca) and two online Subordinate Enterprise PKI servers (PKI01 and PKI02)

    -Clients set to Auto enrollment for machine certificates

    Direct Access

    -2 Servers 2008 R2 SP1 running UAG in an array

    -Current setup is working well except one minor detail


    Direct Access machine certificate is from PKI01.  As the client machines are set to auto-enroll for the certificate through AD group policy, they could get a machine certificate from either PKI servers, if they get a certificate from PKI01 then DA works as it should, if they get a cert from PKI02 then Direct Access wont connect to these clients as the Direct Access machine certificate is from PKI01, I have tried having a machine certificate from each PKI server on both Direct Access UAG servers but that doesn't work and causes intermittent Direct Access connectivity issues.  My current work around is to manually enroll a client certificate from PKI01 if it gets a certificate from PKI02

    Is there a way around this issue that anyone is aware of? within the GPO i cant specify which PKI to auto-enroll from I can only do this manually.



    Stevo Davey

    Thursday, January 17, 2013 8:20 PM

All replies

  • Hi

    When you setup your DirectAccess infrastructure in your UAG console, you select One single certification authority. This information is registrer in the server-side GPO and client-side GPO. GPO does not permit to select witch server to user for certificate-Auto-Enrollment. You will have to manage certificate distribution throught the Auto-Enroll permission on the certificate template.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Friday, January 18, 2013 10:48 AM
  • Thanks BenoitS, I see now, how would one edit the second PKI and stop Machines auto enrolling from that server and have machines only auto enroll from the first PKI server?



    Stevo Davey

    Monday, January 28, 2013 10:49 PM
  • Hi

    Enroll permission is a certificate template applicable permission. So the solution should be to reconfigure required certificate template to do not allow auto-enroll or just deny auto-enroll for a particular population. In your case, it is your DirectAccess clients.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by BenoitSMVP Tuesday, January 29, 2013 10:16 PM
    Monday, January 28, 2013 10:54 PM
  • Thanks, would I remove the current auto-enrollment VIA GPO of the machine certificate, then duplicate a template off the PKI01 computer template that auto enrolls for Direct access machines but only auto-enrolls from PKI01? Sorry PKI knowledge is a bit limited around templates.

    Then add this template to the GPO for auto enrollment if a machine is a direct access machine

    Should I then revoke all the machine certificate issued by PKI02

    And Direct Access users would then auto enroll based on access for a machine certificate from pki01?


    Stevo Davey

    Tuesday, January 29, 2013 1:23 AM
  • Ok I got it  from what you said, Basically I created the new template based of a machine template on the PKI server I wanted it to come from, Setup the group for Direct Access machine to auto-enroll the certificate and only that group.  Then I went to GPO that was on the laptops for Direct Access (Not the GPO made by Direct access as it gets overwritten) and edited the Certificate Services Client - Auto-Enrollment properties under Public Key Policies to enabled and Renew exported certificate update pending certificate etc etc and update certificates that use certificate templates.  After that and a GPupdate/force the certificate from the template was on the machine and Direct access is working 100% everytime now.

    Thanks BenoitS for you help!

    Stevo Davey

    Tuesday, January 29, 2013 9:38 PM
  • That the goal of this forum.

    Enjoy your DirectAccess

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, January 29, 2013 10:16 PM