On Mon, Mar 31, 2014 at 5:13 PM, Ken Schaefer <[email protected]> wrote: > I think those articles are saying that: > a) you need to configure the "web server" template
That's long been done. > b) this will only work if the URL used by users is the same as the FQDN of > the server (as the FQDN will be auto-inserted into the CN= field of the cert) That's the part I wasn't so sure about. I need to further research that to be sure. > I don't think you need SPNs at all (beyond the defaults that are created when > you install IIS. > > I'm not sure I'd go down this route personally - you can automate the > process, but not via auto-enrolment. And certs really should be in your asset > management system IMHO - that will alert you to their expiry. Here's the situation: Several MSFT systems (Lync, DirectAccess, and probably others) rely on web sites sitting on IIS that don't match the name (NetBIOS or FQDN) of the server hosting them - and might not even be sitting on the same host on which the service is running (see, for instance the requirements for DirectAccess and an internally hosted web site that *can't* be on the UAG/DA server). They must (in many/most cases) get their certs from our CA. I am of the opinion that there shouldn't be any reason why these web sites don't autorenew their certs, once installed. I'm willing to be schooled on that, but after thinking about it for a while I can't see any objections - except perhaps "It can't be done." Asset management - that's a spreadsheet on which assets are tracked, right? :) Kurt > Cheers > Ken > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Tuesday, 1 April 2014 10:03 AM > To: [email protected] > Subject: [NTSysADM] IIS certs expiration and autorenewal from a Windows CA > > All, > > We had a bit of a scramble when an IIS SSL cert generated by our internal CA > expired, and didn't autorenew. > > Now that I've fixed it, I'm wondering how to set up autorenewal, > > From my reading so far, it looks like I need to set up an SPN for the web > site on the machine account, vis: > http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b435135-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificates > > and > > http://support.microsoft.com/kb/929650 > > Is this correct, and sufficient? Or do I need to dig a little deeper? > > Kurt > >
