PKI / Delegating Certificate Template Management

From: Christoph Buchser (ch.buchser_at_gmx.ch)
Date: 03/30/04

  • Next message: Amihai: "Unlocking Locked workstations" 
    Date: 29 Mar 2004 23:21:28 -0800

    Hi all

    Initial situation:
    Microsoft PKI with a standalone, offline CA and a subordinated
    enterprise ca with windows enterprise server 2003. Active Directory
    with a root domain and several subdomains.
    For administering the SubCA we established a user "CA-administrator"
    as a normal domain user in the active directory root domain. He has no
    domain administration rights granted but only local admin rights on
    the subca.

    Delegating Certificate Template Management:
    For convenience by managing the certificate templates without domain
    administrator rights, we've read the technet-document "Implementing
    and Administering Certificate Templates in Windows Server 2003"
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp
    We went for it step by step as described under "Delegating Template
    Management".

    Problem:
    Now as we tested with the ca-adminstrators account by working on a
    template by using the certificate templates-mmc, a warning was
    popped-up: "Windows cannot save changes to the certificate template.
    This security ID may not be assigned as the owner of this object." We
    couldn't save the changed settings.

    So we changed the owner ot the template to this espescially created
    universal group. The same warning appeared! But the owner was this
    espescially created universal group with the ca-administrator as a
    member of it!

    We experimented and joined the ca-administrator also to the
    domain-administrators group and then it worked fine. But this is not
    what we are looking for.

    Question:
    What does this have to do with the security id of the ca-administrator
    in spite he is a member of the owner-group of this object?
    Why does it not work with the group as the owner?
    What is the problem?

    Thanks to all who have some ideas!

    Christoph Buchser, Switzerland

  • Next message: Amihai: "Unlocking Locked workstations"

    Relevant Pages

    • Delegating Template Management Windows 2003 Enterprise Server; PKI
      ... enterprise ca with windows enterprise server 2003. ... For administering the SubCA we established a user "CA-administrator" ... For convenience by managing the certificate templates without domain ... espescially created universal group with the ca-administrator as a ...
      (microsoft.public.security)
    • Re: PKI / Delegating Certificate Template Management
      ... > For administering the SubCA we established a user "CA-administrator" ... > We went for it step by step as described under "Delegating Template ... "Windows cannot save changes to the certificate template. ... > espescially created universal group with the ca-administrator as a ...
      (microsoft.public.windows.server.security)
    • SSL Certificate problem
      ... I'm running Exchange 2003 enterprise on a Windows 2003 standard server. ... The "Windows default" Policy Module logged the following warning: ... V1 Certificate Template could not be loaded. ...
      (microsoft.public.exchange2000.admin)
    • W2003 CA in W2000 domain
      ... We are trying to implement PKI infrastructure in Windows 2000 Domain. ... Users can enroll ... certyficates, but we have problem with certificate template modyfication. ... Every tabs on Certificate Template are inactive - is it right? ...
      (microsoft.public.win2000.security)
    • Re: W2003 CA in W2000 domain
      ... If you upgrade your domain to Win2003 schema, ... This posting is provided "AS IS" with no warranties and confers no rights. ... > We are trying to implement PKI infrastructure in Windows 2000 Domain. ... but we have problem with certificate template modyfication. ...
      (microsoft.public.win2000.security)