Hello,Currently we have an Enterprise CA/PKI soultion running on native windows 2003 server machines.As part of a VPN initiative, our security team requires us to leverage this infrastructure. A requirement is that we use a standalone machine that just runs the web enrollment piece over SSL as well as hosts the CRL.Because this standalone machine is not a domain member, (currently 2003 server in a workgroup) Im guessing that when trying to install the web enrollment services, the reason its failing is because obvisouly the local admin account is not a true domain account, I must be passing creds anonomously/incorrectly when it looks for the CA.My question is, if i can get our cert chain from the enterprise (holds 3 certs 2 Subs and one Root) onto that box securely, can I install it, and then successfully install the web enrollment component services, and then configure IIS to require SSL.Hopefully I can leverage this box as the CRL for an upcoming SCCM Native mode conversion as well. but thats another story :)Thanks in advance for all your help!

The front end web server must be a member of the domain as it uses Kerberos Authentication and service principal names.Your enivonrmnet will not allow the passing of credentials through Kerberos impersonation.Most organizations will publish an internal Web site through a firewall to make it available to the external world.For the CRLs, you can definitely use a non-domain joined machine. You just have to come up with a secure protocol and methodology to transfer its the CRLs to the Web server. (for example Secure FTP)Brian

Thank you for your response Brian.So it seems with this scenario, that a manual copy of the CRL will be needed. I realize that evey PKIsolution is unique in some way.But to reiterate, there is no way to have web enrollment on a non domain pc.One other question, could I make the DMZ server a DC, and then trust it securelyfrom our internal domain, thereby allowing the enterprise CA to be contacted, which should hopefully allow the install of web enrollment?Thanks again!

You could, but why would you risk putting a DC in the DMZ. If you are going to open the ports needed for a DC in the DMZ, why not make the server a domain member instead?Brian