DA/UAG is probably the first project out of the gate for me, after I get to understand templates a bit more.
BTW - the lastest post on that blog is "Windows PowerShell script for Setting up a CA on Windows Server 2008 and Windows Server 2008 R2" - http://blogs.technet.com/b/pki/archive/2011/12/08/windows-powershell-script-for-setting-up-a-ca-on-windows-server-2008-and-windows-server-2008-r2.aspx Now that looks pretty dang cool. On Thu, Dec 8, 2011 at 16:43, Jon Harris <[email protected]> wrote: > I have been playing with PKI off and on for about 2 months and thought it > was a keeper as well. I am looking at PKI for Direct Access usage. > A requirement for Direct Access is a Cert and the ability to control the > Cert for both users and machines. Microsoft recommends a local Cert server > and against the use of commercial Certs for control purposes. > > Jon > > On Thu, Dec 8, 2011 at 7:26 PM, Kurt Buff <[email protected]> wrote: >> >> Excellent. That's worth the review. >> >> Thanks. >> >> On Thu, Dec 8, 2011 at 16:10, Jon Harris <[email protected]> wrote: >> > You might be interested in this BLOG for PKI >> > >> > templates http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx. >> > >> > Good luck with the working toy. >> > >> > Jon >> > . >> > On Thu, Dec 8, 2011 at 2:29 PM, Kurt Buff <[email protected]> wrote: >> >> >> >> All, >> >> >> >> After staring at the configs in >> >> >> >> >> >> http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx >> >> for days, and doing lots of reading and searching, I found the >> >> problem. >> >> >> >> Simple, really, but sometimes the purloined letter will ruin your day. >> >> >> >> In the example CAPolicy.inf file for the issuing CA, the following >> >> line was the problem: >> >> >> >> LoadDefaultTemplates=0 >> >> >> >> It didn't strike me for the longest time, but there you go. Removed >> >> that line, and it started issuing certs - I see that all of my DCs and >> >> the issuing CA itself have gotten certs, and so have about 18 people, >> >> out of 250+ staff. >> >> >> >> So, it's functioning now, and I have a good deal more reading to do to >> >> figure out which templates I want to create, etc. >> >> >> >> The more interesting things to understand are: >> >> >> >> >> >> 1) Why am I seeing the following warnings in the event logs, even >> >> though the cert is being issued: >> >> >> >> Log Name: Application >> >> Source: Microsoft-Windows-CertificationAuthority >> >> Date: 2011-12-07 22:13:16 >> >> Event ID: 80 >> >> Task Category: None >> >> Level: Warning >> >> Keywords: Classic >> >> User: SYSTEM >> >> Computer: cert.example.com >> >> Description: >> >> Active Directory Certificate Services could not publish a >> >> Certificate for request 19 to the following location on server >> >> usdc4.example.com: CN=John >> >> >> >> Doe,OU=Development,OU=Engineering,OU=Users,OU=ExampleUS,DC=example,DC=com. >> >> Insufficient access rights to perform the operation. 0x80072098 >> >> (WIN32: 8344). >> >> ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 >> >> (INSUFF_ACCESS_RIGHTS), data 0 >> >> >> >> At least, it looks to me as if the certs are being issued, because >> >> certs with user names matching the request numbers are appearing in >> >> the 'Issued Certificates' folder in the management console - they are >> >> of the type 'Basic EFS (EFS)'. >> >> >> >> >> >> 2) What process is invoking these certs? I have no idea how (just a >> >> few) users from such disparate departments and types of machines >> >> (desktops and laptops) are getting the certs, especially since I >> >> haven't announced anything, and don't have anything in place that >> >> requires their use yet. >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> --- >> >> To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> or send an email to [email protected] >> >> with the body: unsubscribe ntsysadmin >> > >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> > http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to [email protected] >> > with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
