I have been playing with PKI off and on for about 2 months and thought it was a keeper as well. I am looking at PKI for Direct Access usage. A requirement for Direct Access is a Cert and the ability to control the Cert for both users and machines. Microsoft recommends a local Cert server and against the use of commercial Certs for control purposes.
Jon On Thu, Dec 8, 2011 at 7:26 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > Excellent. That's worth the review. > > Thanks. > > On Thu, Dec 8, 2011 at 16:10, Jon Harris <jk.har...@gmail.com> wrote: > > You might be interested in this BLOG for PKI > > templates > http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx > . > > > > Good luck with the working toy. > > > > Jon > > . > > On Thu, Dec 8, 2011 at 2:29 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> > >> All, > >> > >> After staring at the configs in > >> > >> > http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx > >> for days, and doing lots of reading and searching, I found the > >> problem. > >> > >> Simple, really, but sometimes the purloined letter will ruin your day. > >> > >> In the example CAPolicy.inf file for the issuing CA, the following > >> line was the problem: > >> > >> LoadDefaultTemplates=0 > >> > >> It didn't strike me for the longest time, but there you go. Removed > >> that line, and it started issuing certs - I see that all of my DCs and > >> the issuing CA itself have gotten certs, and so have about 18 people, > >> out of 250+ staff. > >> > >> So, it's functioning now, and I have a good deal more reading to do to > >> figure out which templates I want to create, etc. > >> > >> The more interesting things to understand are: > >> > >> > >> 1) Why am I seeing the following warnings in the event logs, even > >> though the cert is being issued: > >> > >> Log Name: Application > >> Source: Microsoft-Windows-CertificationAuthority > >> Date: 2011-12-07 22:13:16 > >> Event ID: 80 > >> Task Category: None > >> Level: Warning > >> Keywords: Classic > >> User: SYSTEM > >> Computer: cert.example.com > >> Description: > >> Active Directory Certificate Services could not publish a > >> Certificate for request 19 to the following location on server > >> usdc4.example.com: CN=John > >> > Doe,OU=Development,OU=Engineering,OU=Users,OU=ExampleUS,DC=example,DC=com. > >> Insufficient access rights to perform the operation. 0x80072098 > >> (WIN32: 8344). > >> ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 > >> (INSUFF_ACCESS_RIGHTS), data 0 > >> > >> At least, it looks to me as if the certs are being issued, because > >> certs with user names matching the request numbers are appearing in > >> the 'Issued Certificates' folder in the management console - they are > >> of the type 'Basic EFS (EFS)'. > >> > >> > >> 2) What process is invoking these certs? I have no idea how (just a > >> few) users from such disparate departments and types of machines > >> (desktops and laptops) are getting the certs, especially since I > >> haven't announced anything, and don't have anything in place that > >> requires their use yet. > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to listmana...@lyris.sunbeltsoftware.com > >> with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
