locked
UAG with NAP and client multiple certificates per client RRS feed

  • Question

  • First, I do have NAP and UAG working, it's working great actually but I have two things that I'm not able to resolve.  The first one might not be an issue exactly but annoying.  The clients get the SHA certificate on their computers but for some reason the certificate is always issued to the UAG server.  I see this on both their computer and the Sub CA server.  This brings me to the second issue I have.  When a client gets the certificate, there are multiple certificates that show up in the CA server while the client only gets two.  Each certificate is issued to the UAG server and the intended purpose is the SHA.  I'm not sure why it creates multiple certificates for each computer.  It also does not delete any certificates for the clients.  So if I connect 5 people, i usually get 10 certificates in the CA server and they are never deleted by the UAG server if the client is not compliant.  Then i can disconnect those 5 people and reconnect them and they'll get 10 more certificates in the CA server and the old ones will still be listed.

    Here is the setup:

    1 UAG Server with SP1, it's also running the NPS service for NAP

    1 dedicated enterprise subordinate certificate server running Server 2008 R2.  I've created a 2008 SHA template that is not published in AD and is set to not store the certificates and requests in the CA database.  For the security settings, I've disabled the enroll option for Domain Computers and added my UAG server to Read, Enroll, and Autoenroll.

    Has anyone experience issues like this?

    Friday, January 7, 2011 9:48 PM

Answers

  • Hi Ryan,

    The SHA cert will have the name of the HRA, in this case is the UAG server, as to the CA this is the cert requestor, not the DA client itself; I believe this is normal.

    If you have enable the "don't store" option on the template, you also need to configure the CA as follows:

    On the issuing CA, run the following command: CertUtil.exe -SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS.

    This is probably why you see the system health certs listed...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by RyanM_H Saturday, January 8, 2011 8:28 PM
    Saturday, January 8, 2011 12:17 AM

All replies

  • Hi Ryan,

    The SHA cert will have the name of the HRA, in this case is the UAG server, as to the CA this is the cert requestor, not the DA client itself; I believe this is normal.

    If you have enable the "don't store" option on the template, you also need to configure the CA as follows:

    On the issuing CA, run the following command: CertUtil.exe -SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS.

    This is probably why you see the system health certs listed...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by RyanM_H Saturday, January 8, 2011 8:28 PM
    Saturday, January 8, 2011 12:17 AM
  • That was the command i was missing that put this all together.  Thanks for your help!
    Saturday, January 8, 2011 8:28 PM