Re: Web Enrollment Certificate Request Denied

From: Max (maxroberts1_at_yahoo.com)
Date: 07/07/04 

Date: 7 Jul 2004 12:55:30 -0700

Sorry, I haven't dealt with deploying smart cards yet.

I'm just trying to figure out why certificate requests work using the
Certificates MMC, but then I'm told that the EFS certificate template
is
not supported by the Certificate Services when requesting the
certificate through web enrollment.

My XP workstation is a member of the domain. I have the lowest
possible browser security. And I'm using Windows Integrates Security
both on the web enrollment server and its checked on the browser. I'm
not using my UPN when connecting to the web server. These are all
things that are notes as possible causes in the latest whitepaper.

Perhaps my problem is that I'm not following Microsoft Best Practices
of having the web enrollment server on the same server as the Issuing
CA. I've split the two and I think that is causing me issues. There
don't seem to be many examples of this - the new book by Brian Komar,
the 2003 PKI Best Practices White Paper, and the 2003 PKI MOC all give
best practices set-up with IIS and web enrollment together on the
Issuing CA.

Page 134 of Komar's book, Microsoft Windows Server 2003 PKI and
Certificate Security, actually says "If you are planning to utilize
the Certificate Services Web Enrollment pages, you must install IIS on
the Issuing CA."

So perhaps my setup doesn't work at all. Although it would seem to be
better from a security standpoint to split web enrollment and IIS from
the Issuing CAs and their private keys.

Relevant Pages

  • Re: unable to request certificate
    ... the second web enrollment issue is associated with kb article 323172. ... > To use the mmc certificate snapins you need to be using an Enterprise CA ... >> I try to request a new certificate in two ways, ... >> certificates from the available CAs ...
    (microsoft.public.win2000.security)
  • Re: Web Certificate Enrollment security problem
    ... CERTSVC_DCOM_ACCESS security group of the server with the CA (have added ... The only thing that doesn't work is Web enrollment. ... access auditing and logging "issue and manage certificate requests" on the ... Have seen that there is a component "Certsrv Request" when launching ...
    (microsoft.public.security)
  • constrained delegation claims SPNs not registered
    ... I want to publish the internal certificate authority web enrollment page for remote users outside the VPN corporate network to allow them renewing their smartcard certificates manually when they become due. ... The web publishing rule is activated for constrained delegation and the listener is hardended to accept our own certificates only. ... Certificate Services web enrollment page requires integration windows authentication and runs with the default network service identity. ...
    (microsoft.public.isaserver)
  • Re: Requesting a certificate for another user
    ... we support this for smartcards in the web enrollment pages. ... customization of the web pages and some custom code. ... > I don't want to burden a user with certificate request. ...
    (microsoft.public.win2000.security)
  • Re: .NET 2.0, X509Certificates and CRL Check
    ... you need the issuing CA cert installed locally for validation to be successful. ... Dominick Baier - DevelopMentor ... when I select a certificate, where the Issuing CA is installed ... then the CRL will be cached (I can see the crl with ...
    (microsoft.public.dotnet.security)