Creating Automatic enrollment of User Certificates

TheMSsForum.com: The Microsoft Software Forum

Hi I am trying to setup our Windows 2003 SBS Server to
use L2TP. I have been able to set it up using MS-CHAP V2,
but I want to use EAP_TLS authentication with locally
installed user certificates. I want to set-up these
certificates to be automatically enrolled. I have
followed the steps outline in:
http://www.microsoft.com/resources/documentation/WindowsSe
rv/2003/standard/proddocs/en-us/Default.asp?
url=/resources/documentation/WindowsServ/2003/standard/pro
ddocs/en-us/sag_CS_userauto_example.asp

But when I try to issue a new certificate to issue the
created template does not exist in the list of templates.

In the creation of the template there is a step to ensure
that the template is published in Active Directory. Now
my Forest and Domain are still running at Windows 2000
Functional Level. I suspect that this may be the cause of
the issue, but I can not find confirmation of this in
Certificate Services documentation. But I also I know
that automatic enrollment of computer certificates works.

Thus can anyone confirm the requirement of raising the
domain/forest functional level for automatic enrollment
of User Certificates.

Is there another cause to this issue?
Any other tips related to Certificate Services and my
setup of EAP-TLS authentication of VPN users is most
welcome.

Jose
Top

Re: Creating Automatic enrollment of User Certificates by Paul

Paul
Tue Aug 03 05:50:54 CDT 2004

In article <9d8601c47915$f443e1a0$a601280a@phx.gbl>, in the
microsoft.public.security news group, Jose
<anonymous@discussions.microsoft.com> says...

> But when I try to issue a new certificate to issue the
> created template does not exist in the list of templates.
>
> In the creation of the template there is a step to ensure
> that the template is published in Active Directory. Now
> my Forest and Domain are still running at Windows 2000
> Functional Level. I suspect that this may be the cause of
> the issue, but I can not find confirmation of this in
> Certificate Services documentation. But I also I know
> that automatic enrollment of computer certificates works.
>
> Thus can anyone confirm the requirement of raising the
> domain/forest functional level for automatic enrollment
> of User Certificates.

This has nothing to do with the domain or forest functional level.
>
> Is there another cause to this issue?

I'm not all that familiar with SBS. Does the version of SBS you're using
function like Windows Server 2003 Standard or Enterprise Edition? If the
former, then that's your problem. A CA running on Standard edition only
supports V1 templates.

More information can be found here:

http://www.microsoft.com/pki

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Top

Re: Creating Automatic enrollment of User Certificates by Jose

Jose
Wed Aug 18 00:21:59 CDT 2004

>I'm not all that familiar with SBS. Does the version of
SBS you're using
>function like Windows Server 2003 Standard or Enterprise
Edition? If the
>former, then that's your problem. A CA running on
Standard edition only
>supports V1 templates.
>
>More information can be found here:
>
>http://www.microsoft.com/pki

Thanks again Paul, SBS is equivalent as Standard edition
(thus my issue) except:
Does not support Trusts between Domains
Limited to 75 users

Thanks
Jose


Top