Autoenrollment Process :How a Computer client selects an Issuing Certificate Authority.
Hi Guys, I'm just after some clarification about the process a computer goes through when autoenrolling a digital certificate, and how it selects the issuing CA in an environment with multiple issuing CAs. I have a Single domain forest running in windows 2003 domain/forest functional level. However all my certificate authorities are running windows 2008 R2 SP1. The PKI is a 2 tier environment spread across 2 sites; Head Office and Branch sites. The root is a standalone offline root, and the CA certificate has been published to AD and the corresponding AIA locations. The second tier CAs are enterprise subordinate CAs and are combination Policy+Issuing CAs, these are named 'Issue01 and Issue02'. Issue01 is located in the head office site and the Issue02 is located in the branch site. I have autoenrollment configured to apply via GPO to an OU named 'Test-OU', and have my test computers from both Head Office site and Branch office in there. The computer accounts are members of a security group 'Test-CERTENROLL' and that group is subsequently granted the read, enroll and autoenroll permissions on the Workstation certificate and this all works fine. Basically my question in relation to this environment is, how does a computer in the head office site know to automatically enrol at Issue01 and not Issue02? I assume there is some link with the AD lookup and its site association with the client computers subnet, but I'm not sure. Can someone clarify the process? End result is I want to control autoenrollment so the computers in the 2 sites only try to enrol with their respective issuing CAs. Kind Regards Aaron
March 19th, 2012 12:11am

On Mon, 19 Mar 2012 04:03:11 +0000, Aaron Bowden wrote: Basically my question in relation to this environment is, how does a computer in the head office site know to automatically enrol at Issue01 and not Issue02? I assume there is some link with the AD lookup and its site association with the client computers subnet, but I'm not sure. Can someone clarify the process? End result is I want to control autoenrollment so the computers in the 2 sites only try to enrol with their respective issuing CAs. Certificate Services is unfortunately not a site-aware application. The client will query AD for the CAs that can fulfill its autoenrollment request, and AD will return the list. The client will then attempt to contact the CAs in the list and the first one to respond will be the one that gets the request. All things being equal, that should be the closest CA but that's not guaranteed. If you want 100% assurance that the client will get the certificate from the closest CA the only way is to restrict enrollment based on the ACLs of the templates. So you'd need two templates, one for each location, restrict by ACL (a security group per location) and then publish at the appropriate CA. Of course the tradeoff here is no redundancy when it comes to enrollment. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca Save energy: Drive a smaller shell.
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 12:31am

Thanks for the Response Paul. That clears it up for me. Kind Regards Aaron
March 19th, 2012 12:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics