Re: Machine Cert Question - Web Request Question

Gotcha. Thanks.

"Brian Komar" wrote:

I mean duplicating the Workstation Authentication certificate and changing
the subject tab to state that the subject is provided in the request. You
can then set permissions for a group that contains users who are local
Administrators on the target boxes.
Brian

"JSC" <JSC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7AC4FE8-2682-42EA-973E-37D3106EB8DA@xxxxxxxxxxxxxxxx
Brian, thanks, that helped a lot in explaining things.

Woud you mind expanding on the last part about creating a custom
certificate
template.

Would this be like creating a template with a combination of workstation
and
user certificate? We are already using user certificates, would
workstation
and user signature only work?

"Brian Komar" wrote:

Inline...
"JSC" <JSC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:74B7FE85-37D9-49A5-9A21-E1018705D39A@xxxxxxxxxxxxxxxx
We are looking to deploy machine certs in our domain for 802.1x port
based
authentication.

My question is what is the difference between the computer cert
template
and
the workstation cert template? Both say they can be used for
workstation/server authentication. Is the Computer cert a V1 cert and
the
Workstation V2? Anybody have any experience setting this up in their
environment that will be willing to share information, I would
appreciate
it.

They are essentially the same. Both allow autoenrollment but through
different mechanisms. Computer (a v1 cert) allows autoenrollment through
ACRS. Workstation Authentication deploys through Autoenrollment Settings.

In testing I have both workstation and the computer cert template
loaded
on
my CA, but I cannot seem to get these certs to show up as available to
request through the certificate web pages. I will need to be able to
do
this
for machines that are not connected to the domain to get it through
autoenrollment and Apple OS X machines.

Neither is available through the Web pages because Web page requests are
done in the security context of the user, and these certificates are
requested through the machine's identity. You would have to create a
custom
certificate template (based on either workstation or computer) that
allows
the subject to be provided in the request.




.

Relevant Pages

  • Re: Certificate Services Question
    ... When I try enrolling in this cert from an XP workstation, ... You can use either template for your ... >> - Sigature for Key Usage ...
    (microsoft.public.win2000.security)
  • Re: IIS cert denied
    ... Start the Certificate Services service. ... Grant Read and Enroll access for the template to the appropriate user ... > I am using Server 2003 and was trying to create a new cert ... When I finish and the request is just about to be ...
    (microsoft.public.inetserver.iis.security)
  • Change Validity period on Web Server template
    ... the existing Web Server template and set the VP to 10 years. ... I then added my new Cert Template to the ... Certificate Templates of the CA ... If I use IIS to submit a request to an online CA it just gives me the ...
    (microsoft.public.windows.server.general)
  • Re: Machine Cert Question - Web Request Question
    ... I mean duplicating the Workstation Authentication certificate and changing the subject tab to state that the subject is provided in the request. ... > My question is what is the difference between the computer cert> template ...
    (microsoft.public.windows.server.security)
  • Re: Error enrolling machine certs
    ... I did notice that and is why I suggested he try another template such as ... Workstation to see if that works or not, but thanks for pointing that out - ... enterprise CA itself and trying to request a computer certificate form it ...
    (microsoft.public.windows.server.security)