|
Posted by Brian Komar on May 19, 2007, 3:56 pm
Please log in for more thread options
Some answers inline.
On 18 May 2007 08:02:35 -0700, Enrico wrote:
> Hello,
>
> I am currently in the process of researching the features of user
> certificate autoenrollment for a proof of concept using Outlook Web
> Access to an Exchange 2007 environment.
>
> I would like to implement a scenario where a user provisioned with an
> exchange email box and address would be able to automatically obtain a
> user certificate from the CA by accessing a secure portal or OWA.
They could access the certificate from a secure portal. OWA does not have
any certificate enrollment code included.
>
> 1. Given that autoenrollment works via winlogon or Group policy, the
> user should be able to obtain the certificate since they are
> authenticating to AD with their username/password (as the user is a AD
> account object), correct?
No. The computer must also be a member of the forest. Although the user
account is used, there is no knowledge of an enterprise CA, available
certificate templates, etc.
>
> 2. Does autoenrollment only work when a user logs onto a VPN or a
> computer that is physically on the domain of the issuing CA?
Correct. The user and the computer must be a member of the forest. Even in
a VPN scenario.
>
> Any links to documentation outlining this feature of PKI would be much
> appreciated.
Look for the autoenrollment whitepaper available at www.microsoft.com/pki.
I also cover it in my PKI book.
>
>
> Thank you,
>
> Enrico
| 
XML Sitemap