Click here to get back home

Machine Cert Question - Web Request Question
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Machine Cert Question - Web Request Question JSC 02-13-2008
Posted by JSC on February 13, 2008, 1:11 pm
Please log in for more thread options
 We are looking to deploy machine certs in our domain for 802.1x port based
authentication.

My question is what is the difference between the computer cert template and
the workstation cert template? Both say they can be used for
workstation/server authentication. Is the Computer cert a V1 cert and the
Workstation V2? Anybody have any experience setting this up in their
environment that will be willing to share information, I would appreciate it.

In testing I have both workstation and the computer cert template loaded on
my CA, but I cannot seem to get these certs to show up as available to
request through the certificate web pages. I will need to be able to do this
for machines that are not connected to the domain to get it through
autoenrollment and Apple OS X machines.


Posted by Brian Komar on February 13, 2008, 6:07 pm
Please log in for more thread options
 Inline...
> We are looking to deploy machine certs in our domain for 802.1x port based
> authentication.
>
> My question is what is the difference between the computer cert template
> and
> the workstation cert template? Both say they can be used for
> workstation/server authentication. Is the Computer cert a V1 cert and
> the
> Workstation V2? Anybody have any experience setting this up in their
> environment that will be willing to share information, I would appreciate
> it.

They are essentially the same. Both allow autoenrollment but through
different mechanisms. Computer (a v1 cert) allows autoenrollment through
ACRS. Workstation Authentication deploys through Autoenrollment Settings.
>
> In testing I have both workstation and the computer cert template loaded
> on
> my CA, but I cannot seem to get these certs to show up as available to
> request through the certificate web pages. I will need to be able to do
> this
> for machines that are not connected to the domain to get it through
> autoenrollment and Apple OS X machines.

Neither is available through the Web pages because Web page requests are
done in the security context of the user, and these certificates are
requested through the machine's identity. You would have to create a custom
certificate template (based on either workstation or computer) that allows
the subject to be provided in the request.

>


Posted by JSC on February 14, 2008, 10:11 am
Please log in for more thread options
Brian, thanks, that helped a lot in explaining things.

Woud you mind expanding on the last part about creating a custom certificate
template.

Would this be like creating a template with a combination of workstation and
user certificate? We are already using user certificates, would workstation
and user signature only work?

"Brian Komar" wrote:

> Inline...
> > We are looking to deploy machine certs in our domain for 802.1x port based
> > authentication.
> >
> > My question is what is the difference between the computer cert template
> > and
> > the workstation cert template? Both say they can be used for
> > workstation/server authentication. Is the Computer cert a V1 cert and
> > the
> > Workstation V2? Anybody have any experience setting this up in their
> > environment that will be willing to share information, I would appreciate
> > it.
>
> They are essentially the same. Both allow autoenrollment but through
> different mechanisms. Computer (a v1 cert) allows autoenrollment through
> ACRS. Workstation Authentication deploys through Autoenrollment Settings.
> >
> > In testing I have both workstation and the computer cert template loaded
> > on
> > my CA, but I cannot seem to get these certs to show up as available to
> > request through the certificate web pages. I will need to be able to do
> > this
> > for machines that are not connected to the domain to get it through
> > autoenrollment and Apple OS X machines.
>
> Neither is available through the Web pages because Web page requests are
> done in the security context of the user, and these certificates are
> requested through the machine's identity. You would have to create a custom
> certificate template (based on either workstation or computer) that allows
> the subject to be provided in the request.
>
> >
>

Posted by Brian Komar on February 14, 2008, 4:03 pm
Please log in for more thread options
I mean duplicating the Workstation Authentication certificate and changing
the subject tab to state that the subject is provided in the request. You
can then set permissions for a group that contains users who are local
Administrators on the target boxes.
Brian

> Brian, thanks, that helped a lot in explaining things.
>
> Woud you mind expanding on the last part about creating a custom
> certificate
> template.
>
> Would this be like creating a template with a combination of workstation
> and
> user certificate? We are already using user certificates, would
> workstation
> and user signature only work?
>
> "Brian Komar" wrote:
>
>> Inline...
>> > We are looking to deploy machine certs in our domain for 802.1x port
>> > based
>> > authentication.
>> >
>> > My question is what is the difference between the computer cert
>> > template
>> > and
>> > the workstation cert template? Both say they can be used for
>> > workstation/server authentication. Is the Computer cert a V1 cert and
>> > the
>> > Workstation V2? Anybody have any experience setting this up in their
>> > environment that will be willing to share information, I would
>> > appreciate
>> > it.
>>
>> They are essentially the same. Both allow autoenrollment but through
>> different mechanisms. Computer (a v1 cert) allows autoenrollment through
>> ACRS. Workstation Authentication deploys through Autoenrollment Settings.
>> >
>> > In testing I have both workstation and the computer cert template
>> > loaded
>> > on
>> > my CA, but I cannot seem to get these certs to show up as available to
>> > request through the certificate web pages. I will need to be able to
>> > do
>> > this
>> > for machines that are not connected to the domain to get it through
>> > autoenrollment and Apple OS X machines.
>>
>> Neither is available through the Web pages because Web page requests are
>> done in the security context of the user, and these certificates are
>> requested through the machine's identity. You would have to create a
>> custom
>> certificate template (based on either workstation or computer) that
>> allows
>> the subject to be provided in the request.
>>
>> >
>>


Posted by JSC on February 15, 2008, 8:18 am
Please log in for more thread options
Gotcha. Thanks.

"Brian Komar" wrote:

> I mean duplicating the Workstation Authentication certificate and changing
> the subject tab to state that the subject is provided in the request. You
> can then set permissions for a group that contains users who are local
> Administrators on the target boxes.
> Brian
>
> > Brian, thanks, that helped a lot in explaining things.
> >
> > Woud you mind expanding on the last part about creating a custom
> > certificate
> > template.
> >
> > Would this be like creating a template with a combination of workstation
> > and
> > user certificate? We are already using user certificates, would
> > workstation
> > and user signature only work?
> >
> > "Brian Komar" wrote:
> >
> >> Inline...
> >> > We are looking to deploy machine certs in our domain for 802.1x port
> >> > based
> >> > authentication.
> >> >
> >> > My question is what is the difference between the computer cert
> >> > template
> >> > and
> >> > the workstation cert template? Both say they can be used for
> >> > workstation/server authentication. Is the Computer cert a V1 cert and
> >> > the
> >> > Workstation V2? Anybody have any experience setting this up in their
> >> > environment that will be willing to share information, I would
> >> > appreciate
> >> > it.
> >>
> >> They are essentially the same. Both allow autoenrollment but through
> >> different mechanisms. Computer (a v1 cert) allows autoenrollment through
> >> ACRS. Workstation Authentication deploys through Autoenrollment Settings.
> >> >
> >> > In testing I have both workstation and the computer cert template
> >> > loaded
> >> > on
> >> > my CA, but I cannot seem to get these certs to show up as available to
> >> > request through the certificate web pages. I will need to be able to
> >> > do
> >> > this
> >> > for machines that are not connected to the domain to get it through
> >> > autoenrollment and Apple OS X machines.
> >>
> >> Neither is available through the Web pages because Web page requests are
> >> done in the security context of the user, and these certificates are
> >> requested through the machine's identity. You would have to create a
> >> custom
> >> certificate template (based on either workstation or computer) that
> >> allows
> >> the subject to be provided in the request.
> >>
> >> >
> >>
>

Similar ThreadsPosted
SSL Web Server Cert Question November 30, 2006, 5:32 pm
Win2K3 CA, web cert request problem June 26, 2006, 9:47 am
Request Cert via certificates MMC snapin with CA in parent domain December 6, 2006, 10:44 am
CA Question August 1, 2006, 11:16 am
ASR question. September 15, 2006, 8:13 pm
SCW question. November 7, 2006, 11:17 am
CA question November 30, 2007, 12:53 pm
eventcombMT question December 8, 2005, 11:34 am
.NET Identity question January 19, 2006, 7:59 am
ftp newbie question March 20, 2006, 9:36 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap