70-293 - certificate autoenrollment from MS White Papers ?

Discussion in 'MCSE' started by Marlin Munrow, Apr 13, 2004.

  1. Has anyone actually managed to get Certificate Autoenrollment to work
    reliably yet ?

    <RANT>
    Also, when it does work, why the hell does it take Soooooo long to
    issue user certificates if the original certificate gets deleted
    manually?
    </RANT>




    ================================
    My Hero:
    http://www.theregister.co.uk/content/30/index.html
    (remove vroomfondle to email me)
    ================================
     
    Marlin Munrow, Apr 13, 2004
    #1
    1. Advertising

  2. Marlin Munrow

    Tharg Guest

    Same here, I can get the computers to autoenroll but not the users...


    On Tue, 13 Apr 2004 01:49:22 +0100, Marlin Munrow
    <> wrote:

    >Has anyone actually managed to get Certificate Autoenrollment to work
    >reliably yet ?
    >
    ><RANT>
    >Also, when it does work, why the hell does it take Soooooo long to
    >issue user certificates if the original certificate gets deleted
    >manually?
    ></RANT>
    >
    >
    >
    >
    >================================
    >My Hero:
    >http://www.theregister.co.uk/content/30/index.html
    >(remove vroomfondle to email me)
    >================================
     
    Tharg, Apr 13, 2004
    #2
    1. Advertising

  3. On Tue, 13 Apr 2004 16:22:18 +0100, Tharg <>
    wrote:

    >Same here, I can get the computers to autoenroll but not the users...
    >
    >
    >On Tue, 13 Apr 2004 01:49:22 +0100, Marlin Munrow
    ><> wrote:
    >
    >>Has anyone actually managed to get Certificate Autoenrollment to work
    >>reliably yet ?
    >>
    >><RANT>
    >>Also, when it does work, why the hell does it take Soooooo long to
    >>issue user certificates if the original certificate gets deleted
    >>manually?
    >></RANT>
    >>
    >>
    >>
    >>
    >>================================
    >>My Hero:
    >>http://www.theregister.co.uk/content/30/index.html
    >>(remove vroomfondle to email me)
    >>================================



    I found this after a night of irritation and it *WORKS* - thanks to
    me-mate Chris S...
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

    some really sketchy notes from my travels
    Here's the steps I took (2003 Server Enterprise)

    ADUC - create new OU
    Rmc properties
    Group Policy Tab
    Click Open to open GPMC

    Select PKI Auto Enrol
    Create and Link a GPO here
    Name: PKI Auto
    Select PKI Auto, rmc EDIT
    Expand Windows Settings / Security Settings / Public Key Policies
    Double Click "Autoenrollment settings"
    Check "renew expired certificates..."
    Check "update certificates..."
    Apply / OK

    Open Certification authority
    Rmc certificate templates select manage
    Rmc on User template and choose DUPLICATE to make it type 2
    Template name is pki user

    On pki user security tab
    Select domain admins and set read/write/enrol/autoenroll
    Select enterprise admins and set read/write/enrol/autoenroll
    Select domain users and set read/ enrol/autoenroll
    Apply/OK

    Close certificate templates module

    Back in certification authority...
    Rmc on certificate templates
    Choose New - > Certificate template to issue
    Choose pki user, click OK

    Meanwhile back in GPMC...
    Expand Windows Settings / Security Settings / Public Key Policies /
    Automatic Certificate request settings
    Rmc New - > Automatic certificate request
    Select Computer , next , finish

    Expand Windows Settings / Security Settings / Public Key Policies /
    Trusted root certification authorities
    Rmc import
    Browse to a .p7b file exported earlier for this purpose
    Open , next , next , finish , OK


    Now, with all this in place I drag a new machine into the OU with this
    gpo applied and after a reboot "woosh" (sarcasm) the client gets its
    certificates (well actually sometimes they don't)
    ================================
    My Hero:
    http://www.theregister.co.uk/content/30/index.html
    (remove vroomfondle to email me)
    ================================
     
    Marlin Munrow, Apr 13, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TW9nZ2U=?=

    AutoEnrollment fails...

    =?Utf-8?B?TW9nZ2U=?=, Feb 28, 2006, in forum: Microsoft Certification
    Replies:
    0
    Views:
    1,831
    =?Utf-8?B?TW9nZ2U=?=
    Feb 28, 2006
  2. jeff liss
    Replies:
    1
    Views:
    544
    Andrew
    Sep 5, 2003
  3. Stubby
    Replies:
    3
    Views:
    992
    Stubby
    Aug 18, 2006
  4. Steve Cutchen

    Custom White Balance: Gray Card or White Card?

    Steve Cutchen, Oct 21, 2005, in forum: Digital Photography
    Replies:
    31
    Views:
    1,697
  5. Malcolm Smith

    Canon DSLR White Papers

    Malcolm Smith, Oct 30, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    359
    Malcolm Smith
    Oct 31, 2007
Loading...

Share This Page