Web enrollment security issue?
In my lab environment I have one 2008r2 Ent. issuing CA. With web enrollment configured. <testuser> has not been granted any permission in published certificate templates or is not member of any groups except domain users. I can still request and enroll for almost all certificates published through web enrollment. Seems like the domain administrator account enrolls on behalf of that user account, even if logged in as <testuser>. Enroll on behalf of has not been configured (and should not work logged in as that user anyway) Authenticated Users has read permission on the template. When I remove this (wich I shouldn't) the template no longer shows up in web enrollment. I have tested with a few other users and the problem seems consistent. When trying a manual request through mmc snapin only three templates show up. They are configured authenticated with domain users, so that is fine. HTTPS is configured. It seems like big security risk? Has this anything with policies to do? What can I do to prevent no authorised users to request for certificates.
July 25th, 2012 8:50am

Interesting indeed ;P The certificate is issued to the domain administrator witch subject fqdn of that user. and SAN = upn of that domain user as well. Basicly I can issue whatever certificate from all computers as any user. I don't know if anything has changed although I don't think that it has been this way since the beginning of my lab? I would really appriciate some advice on this.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2012 1:03am

Hi Joakim, do you have a little more detail information about your setup? - CA security settings - Template security settings - a issued certificate () etc Thank you, Lutz
July 26th, 2012 1:26pm

Of course, I'll see what I can provide. CA Security: Authenticated Users - Request certificate Domain Admins, local administrator and Enterprise admins - Issue and Manage Certificates, Manage CA Example Template security: Authenticated Users - Read My domain admin member account - Full control Domain Admins and Enterprise Admins - Read Write Policy module is "follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate" - Windows default. Exit module is Windows default as well. But why does it differ to a manual request from the certmgr.mcs? Shouldn't the web enrollment "see" the same security settings? I have working ocsp and crl. https configured on web enrollment - otherwise im not able to request at all, guess thats by design? IIS is configured at the issuing CA. I have two domain controllers holding certficate templates both from the old test issuing ca (2003) and from the newer one. My main problem is that I have to request through web enrollment to our CE .net 4.2 computers. see previous thread: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b13a4c5e-9730-471f-96a3-8c17b940806f
Free Windows Admin Tool Kit Click here and download it now
July 27th, 2012 12:57am

Hi Joakim, what ever I did in the lab i could not reproduce this error. Sorry that I couldn't help. Regards, Lutz
July 30th, 2012 11:59am

Thank you for trying atleast!
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2012 2:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics