Hello, I'm trying to setup a enterprise lab environment that will allow smartcard authentication. This lab environment doesn't need a card issuing or management system, that is external (similar to DoD or JITC smartcard triple tier PKI systems). We would like to take smartcard issued from that external system and allow access on our enterprise lab environment (we can do this already with a simple two machine CA/DC setup and it works fine - but the lab is a different animal). I've uploaded a diagram of the lab environment with a series of questions that I have regarding the problem. -----> Link to Diagram: http://img189.imageshack.us/i/smartcardlabenvquestion.jpg/ If you open up my diagram, I hope my my overall goal is clear, in that, the ability for all clients attached to those domains in the picture to be PKI enabled for smartcard authentication. Frankly, I’ll settle for having both forests PKI enabled (not all machines). Since I'm new at doing this kind of work, I first thought it was impossible to enable PKI without explicitly enabling all domains (root and child) with both a CA attached and domain PKI GPO/NTAuth edits. However straightforward/brute force as that might sound, it sounded to me like complete overkill. I hoped the child domains would inherit the PKI from the root domain, in addition to having those children having access to the root domains' CA. The brute force method would eventually mean having over 10 CA servers attached to each domain at both the root and child level. Each domain would be provisioned to accept smartcard from the external Card Management system, again overkill. As noted above, I had hoped that this could be done twice, at both forest roots and all children or detached domain controller would be "auto-enrolled" for smartcard authentication - so that all clients attached to those domains would have smartcard access. The only place where I seem to understand auto-enrollment is how the certs get installed at the client level (XP, Vista, etc), in that, when we enable the domain PKI GPO, those certificates are all installed on the clients connected to that domain policy. But, I don't believe this is the definition of "auto-enrollment" hence the confusion. This provisioning of clients with certificates for smartcard login through a domain GPO is very different than the root to child inheritance model, and to enable smartcard access on those domains require a lot of steps in between, not just enabling it once at the root, install a root CA and everything flows down to all the children. Auto-enrollment makes sense to me in the context of clients attached to the domain, but not child domains attached to a root domain with a CA. Some questions: 1. If it does inherit, how does the child know to pull those policies down to it’s PKI GPO/NTAuth? - is this a mix of domain trust and auto-enrollment? (I can’t imagine just setting up that child relationship in domains’ and trusts and having the children inherit everything is the only step?) 2. How does the child add certificates to the NTAuth AD containers populated for smartcards under that domain (that’s an explicit process for smartcards). How does the domain/CA know the certificates within the PKI are smartcard certs that need to be under NTAuth? Is this again through auto-enrollment at the root level CA server? 3. My understanding of the relationship between children and root domains is that the child DOES NOT inherit the GPO from the root and this is on purpose? Is this true and how does this affect auto-enrollment from the root domain/CA, if in fact that is what is going to happen? for me, PKI is at both the domain GPO level and CA level (for installation of certificates and signing). 4. Do all the children require a CA or is it just required at the forest root level? 5. What is the proper definition of "auto-enrollment" in relation to the root/child domain relationship? 6. If you note in the diagram, there are detached domains, how does one provision domains that are detached from the root domain, but are part of that domain and are not children? Do you then need to separately add a CA to those detached domains and explicitly enable PKI on those domains? or do they work just like children domains? 7. This might be a totally stupid question, but I need to ask it, Do I even need a CA server? that is, since the card system is external and I'm only importing certificates, would I need to even have a CA to sign the installed certificates for the forest? I can't imagine the answer to this is YES, but I wanted to ask. Thanks for any and all help in advance. Regards, Will Coleman -- Wm. Q. Coleman

Just a little bump, I would be most appreciative for any help with this.-- Wm. Q. Coleman

On Fri, 6 May 2011 23:18:44 +0000, Wm. Q. Coleman wrote: Just a little bump, I would be most appreciative for any help with this. You have an extremely complex setup and you need to keep in mind that those of us who help here and who do not work for Microsoft do so as volunteers on our free time. I've looked at your original post and to be quite honest with you when I looked at your diagram I closed the browser page and moved onto another post. I do this type of thing for a living and frankly IMO, you really need an experienced consultant to help you get this setup, not a couple of posts in a support forum. Others may feel differently, but that's my opinion. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca You depend too much on computers for information.

Thanks Paul. I believe I have the solution now, but I wanted to leave this up to get some confirmation, i.e. a fresh look. My understanding after reading and testing is that if the CA is a Microsoft CA built as an "Enterprise" CA, then the necessary objects to support CA and certificate profile discovery are added to the Global Catalog and will replicate across the forest. In addition, the CA certificates will be added to AD and inherited by descendants. The CA need not even be in the forest root domain; it just needs to be an Enterprise CA. I got some additional confirmation on this from another co-worker. I like you, when I started this exercise thought it was something that required a ton of knobs turned and buttons pushed, but I, knowing what I know now, still can't believe its that simple. Installing an Enterprise CA within the Forest will automagically install the PKI across the forest to all domain controllers. Thanks though for your thoughts, I wish we could always turn to consultants for help, that would make things a lot easier, but this is one of problems that the solution is so simple its pathetic. Additionally, when I finally figured this out, I thought quietly, wow, that was a waste of time, and I still can't believe it's that simple. -- Wm. Q. Coleman