Re: PKI User certificate auto-enrollment for XP clients not logging onto domain computer
- From: Brian Komar <bkomarr@xxxxxxxxxxxxxxxxx>
- Date: Sat, 19 May 2007 14:56:48 -0500
Some answers inline.
On 18 May 2007 08:02:35 -0700, Enrico wrote:
Hello,
I am currently in the process of researching the features of user
certificate autoenrollment for a proof of concept using Outlook Web
Access to an Exchange 2007 environment.
I would like to implement a scenario where a user provisioned with an
exchange email box and address would be able to automatically obtain a
user certificate from the CA by accessing a secure portal or OWA.
They could access the certificate from a secure portal. OWA does not have
any certificate enrollment code included.
1. Given that autoenrollment works via winlogon or Group policy, the
user should be able to obtain the certificate since they are
authenticating to AD with their username/password (as the user is a AD
account object), correct?
No. The computer must also be a member of the forest. Although the user
account is used, there is no knowledge of an enterprise CA, available
certificate templates, etc.
Correct. The user and the computer must be a member of the forest. Even in
2. Does autoenrollment only work when a user logs onto a VPN or a
computer that is physically on the domain of the issuing CA?
a VPN scenario.
Any links to documentation outlining this feature of PKI would be much
appreciated.
Look for the autoenrollment whitepaper available at www.microsoft.com/pki.
I also cover it in my PKI book.
.
Thank you,
Enrico
- References:
- Prev by Date: Re: Enterprise file auditing
- Next by Date: Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- Previous by thread: PKI User certificate auto-enrollment for XP clients not logging onto domain computer
- Next by thread: Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- Index(es):
Relevant Pages
|
