The certificate doesn't do anything about authentication
from a DC standpoint necessarily. The DC is still required for
authentication of the user credentials as well as authorization services.
The certificate will allow your user to encrypt the conversation from the web
client to the web server thereby adding a layer of protection to the
conversation from prying eyes (or sniffers as the case may be).
Using your own certificate can be done, but often the
overhead isn't worth it. Allowing a third party to manage the cert is a
lot easier in terms of management, reliability, hardware, etc. The client
will require access to the CA machine if only one machine is hosting all
functions. Add to that they will get a popup asking if they want to use
this cert since it's not in the cache to date. It's just not as clean from
a user interface perspective, but workable if all else is worth it to
you.
http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx is
a primer for Windows 2000 PKI that may help to explain some of the additional
components.
AL
From: Celone, Mike [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 20, 2004 12:00 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Certificate Services
We are looking to
add a certificate to one of our web servers so we can do an https session over
it. This will be for our users to access OWA over a secure
connection. Instead of purchasing a certificate from Verisign we would
like to put up a CA server and use our own certificates. Is this the
common way of doing this? Once the certificate is issued does the OWA
server need to talk to the DC anymore? I'm new to all the certificate
stuff so any help is appreciated!
Mike Celone
Systems Specialist
Radio Frequency
Systems
v 203-630-3311 x1031
f 203-634-2027
m 203-537-2406
