Re: Certificate Renewal minimum requirements

From: MC (seaedsit_at_hotmail.com)
Date: 10/22/04

• Next message: Andre: "changing registry permissions via gpo?"
• Previous message: David Cross [MS]: "Re: Offline Smart Card Logon"
• In reply to: David Cross [MS]: "Re: Certificate Renewal minimum requirements"
• Next in thread: Brian Komar: "Re: Certificate Renewal minimum requirements"
• Reply: Brian Komar: "Re: Certificate Renewal minimum requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 22 Oct 2004 14:37:18 +0200

David, thanks for that input.

Is the auto-enroll permission enough, or must the user be granted the
"enroll" permissions too ?
In the MS documents you can find statements, that when autoenroll
permissions are granted user always must have enroll permissions too.

The problem would be when enroll permissions are granted, users would be
able to enroll smart card user certificates by themselves. It only should be
possible to enroll smart card user certificates by a couple of admins who
own an enrollment agent certificate.

Thx,
Mario

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:uWOomGDuEHA.2000@TK2MSFTNGP14.phx.gbl...
> yes, they will still need autoenroll permission, I think we have an
example
> for usingf existing cert and auto-renewal in this paper:
>
> auto-enrollment:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "MC" <seaedsit@hotmail.com> wrote in message
> news:etsQ$nBuEHA.3156@TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> > What are the minimum requirements to renew a smart card user certificate
> > stored on a smart card?
> >
> > Is it necessary to give the user "enroll" permissions to renew an
existing
> > certificate ?
> > I configured a copy of the smart card user template to allow renewal if
an
> > existing valid certificat exists.
> >
> > Thanks
> > MC
> >
> >
>
>

---

• Next message: Andre: "changing registry permissions via gpo?"
• Previous message: David Cross [MS]: "Re: Offline Smart Card Logon"
• In reply to: David Cross [MS]: "Re: Certificate Renewal minimum requirements"
• Next in thread: Brian Komar: "Re: Certificate Renewal minimum requirements"
• Reply: Brian Komar: "Re: Certificate Renewal minimum requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Certificate Renewal minimum requirements ... > permissions are granted user always must have enroll permissions too. ... > able to enroll smart card user certificates by themselves. ... The solution is to use two certificate templates. ... (microsoft.public.windows.server.security) Re: Autoenrollment ... check the permissions on the CA security tab and the permissions ... on the templates to ensure the user has read and enroll and auto-enroll ... When trying to manually enroll, ... > - You don't have permission to request certs from the available CAs ... (microsoft.public.windows.server.security) Smart card Enrollment problem DCOM error. ... I have a Windows 2003 Standard edition server running as a AD/CA. ... trying to enroll a smart card user but I am getting this error when I click ... install with the USB smart card reader. ... (microsoft.public.windows.server.general) Re: Win2K3 CA, web cert request problem ... The user would need to be in a global group that has read and enroll ... permissions for the certificate template. ... The link below supplies more ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2004-10