CES Recommended Setup

I have been reading up on CES information that I can find, but i'm still not getting a clear picture of how I should implement my setup.

I have a 2 tier CA setup in a root forest that has about 5 child domains. this setup is fine. I can get servers to autoenroll certificates. I set up a 3rd server to host the CES/CEPS so that delegation wouldn't be an issue.

I have about 20 domains that do not have a trust with the domain the CA is in. Yes about 20 from acquisitions, etc. I need to have servers autoenroll to receive a server certificate on the computer account. Installing other CA's is not an option. CES is supposed to be my answer. I would like to use Kerberos only (windows authentication), but Its not working for me. Maybe this isn't recommended for my situation.
Microsoft only gives examples of external facing without trusts (so via internet, outside your network) and then intranet, with trusts between domains/forests.

is anyone out there with a setup of no trusts, using CES with windows authentication, and its working? I'm mainly looking for detailed steps in implementing because I think i'm missing something but i cant tell where exactly. Maybe its with delegation, maybe its access on IIS. I'm really not sure yet.

September 2nd, 2015 5:12pm

You are not going to be able to use Kerberos, as the server's will not have an account that is trusted for authentication. I would recommend using a combination of Basic Authentication with Key Based Renewal

See http://blogs.technet.com/b/askpfeplat/archive/2013/07/01/server-2012-pki-key-based-renewal-explained.aspx for guidelines and procedures

Brian

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 8:56pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics