Upload
others
View
54
Download
0
Embed Size (px)
Citation preview
Request Computer Certificate from Certificate Authority
Introduction: Microsoft PKI infrastructure can be scaled to support Users , Workstations, Devices and
Applications. With the constant demand of more secure communication Microsoft PKI enforce strong
security with the help of certificates and key logic. This article explains the behavior of Standard Users vs
Administrator requesting a Certificate.
Infrastructure: The below steps are performed on Single Active Directory Site installed on Windows
Server 2008 R2 with Forest Functional Level and Domain Functional Level set to Windows Server 2008
R2 respectively. The server is configured with Certificate Authority , you read it correct ! , both the
Domain Controller role and Certificate Authority roles are configured on same server.
Rational: There are different situations when customer provides with few Physical / Virtual server and
build the solution for development / Testing environments. Administrator / Consultant who is deploying
the solution should raise the risks and understand the impact of installing both the roles on same server.
Risks: The CA cannot be configured as offline. CA should not be configured for Internet facing clients.
Architectural Diagram:
Active Directory Infrastructure
PKI Infrastructure
Switch
Router
Windows 8 Clients
Test Case Scenarios
Scenario 1: Requesting Machine Level Certificate with Standard User account without
Administrator privileges. Standard User is a part of Active Directory Domain
Steps:
Step1: Click Start Run MMC and press enter
Step2: Select Certificates and Click Add
Step3:
In the above scenario User cannot request Machine Certificate and Standard User can only
request User Certificate
Scenario 2: Requesting Machine Level Certificate with Standard User account with
Administrator privileges. Standard User is a part of Active Directory Domain
Note: Modifying machine level membership changes requires the computer to get restarted
Steps
Step1: Click Start Run MMC and press enter
Step2: Select Certificates and Click Add
Step3: When you click Add, following options are displayed
Step4: Administrator / Super User can select Computer Account on Local computer or he can
select remote computer for accessing certificates
From the above scenario, Standard User with Administrator privileges is able to add the
computer certificate successfully.
Scenario 3: Requesting Machine Level Certificate with Standard User account with PowerUser
privileges. Standard User is a part of Active Directory Domain
Results is same as Scenario 1, where Standard User with PowerUser privileges cannot request
for Machine Level Certificates.