Creating a registration authority for Windows Server 2003

How do you create an RA in a DMZ on a non domain computer to send certificate
requests to an internal issuing enterprise CA?

Thanks,
RJ

David
Thu Mar 24 07:20:07 CST 2005

This paper may help you:

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
"RJ" <RJ@discussions.microsoft.com> wrote in message
news:0B05E311-DA15-4B01-A9B1-E65FD46D4DDA@microsoft.com...
> How do you create an RA in a DMZ on a non domain computer to send
> certificate
> requests to an internal issuing enterprise CA?
>
> Thanks,
> RJ

RJ
Fri Mar 25 11:01:02 CST 2005

Thanks David, this is exactly what I needed.

I had one question about this link and one additional question. The article
says that the Web Enrollment pages "generally need to be installed" on a
domain computer that is part of the same Active Directory Realm as the CA.
This must mean that it could be installed in some scenario on a DMZ non
domain computer? Do you happen to know if there is a whitepaper for this?

Also, do you know if it is possible to setup restrictions so that the same
user would not be able to request and additional certificate? Once they
request a cert, then the second request would be denied?

Thanks again for the posting of your links!

"David Cross [MS]" wrote:

> This paper may help you:
>
> Windows Server 2003 web enrollment and troubleshooting guide:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>
>
> --
> David B. Cross [MS]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Top Whitepapers:
>
> Auto-enrollment whitepaper:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>
> Best Practices for implementing Windows Server 2003 PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> Troubleshooting Certificate Status and Revocation whitepaper:
> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
>
> Windows Server 2003 web enrollment and troubleshooting guide:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> "RJ" <RJ@discussions.microsoft.com> wrote in message
> news:0B05E311-DA15-4B01-A9B1-E65FD46D4DDA@microsoft.com...
> > How do you create an RA in a DMZ on a non domain computer to send
> > certificate
> > requests to an internal issuing enterprise CA?
> >
> > Thanks,
> > RJ
>
>
>

David
Mon Mar 28 07:55:55 CST 2005

Unfortunately, the answer is "no" to both questions. I apologize for the
misleading phrasing in the whitepaper.

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
"RJ" <RJ@discussions.microsoft.com> wrote in message
news:9778360C-250C-4398-AD34-AD04CC040702@microsoft.com...
> Thanks David, this is exactly what I needed.
>
> I had one question about this link and one additional question. The
> article
> says that the Web Enrollment pages "generally need to be installed" on a
> domain computer that is part of the same Active Directory Realm as the CA.
> This must mean that it could be installed in some scenario on a DMZ non
> domain computer? Do you happen to know if there is a whitepaper for this?
>
> Also, do you know if it is possible to setup restrictions so that the same
> user would not be able to request and additional certificate? Once they
> request a cert, then the second request would be denied?
>
> Thanks again for the posting of your links!
>
> "David Cross [MS]" wrote:
>
>> This paper may help you:
>>
>> Windows Server 2003 web enrollment and troubleshooting guide:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>>
>>
>> --
>> David B. Cross [MS]
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> Top Whitepapers:
>>
>> Auto-enrollment whitepaper:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>>
>> Best Practices for implementing Windows Server 2003 PKI:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>
>> Troubleshooting Certificate Status and Revocation whitepaper:
>> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
>>
>> Windows Server 2003 web enrollment and troubleshooting guide:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>> "RJ" <RJ@discussions.microsoft.com> wrote in message
>> news:0B05E311-DA15-4B01-A9B1-E65FD46D4DDA@microsoft.com...
>> > How do you create an RA in a DMZ on a non domain computer to send
>> > certificate
>> > requests to an internal issuing enterprise CA?
>> >
>> > Thanks,
>> > RJ
>>
>>
>>

RJ
Mon Mar 28 09:53:08 CST 2005

OK. Thanks for the reply. This has been the most useful and timely post I
have had.

Have a good one!

Thanks,
RJ


"David Cross [MS]" wrote:

> Unfortunately, the answer is "no" to both questions. I apologize for the
> misleading phrasing in the whitepaper.
>
> --
> David B. Cross [MS]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Top Whitepapers:
>
> Auto-enrollment whitepaper:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
>
> Best Practices for implementing Windows Server 2003 PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> Troubleshooting Certificate Status and Revocation whitepaper:
> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
>
> Windows Server 2003 web enrollment and troubleshooting guide:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> "RJ" <RJ@discussions.microsoft.com> wrote in message
> news:9778360C-250C-4398-AD34-AD04CC040702@microsoft.com...
> > Thanks David, this is exactly what I needed.
> >
> > I had one question about this link and one additional question. The
> > article
> > says that the Web Enrollment pages "generally need to be installed" on a
> > domain computer that is part of the same Active Directory Realm as the CA.
> > This must mean that it could be installed in some scenario on a DMZ non
> > domain computer? Do you happen to know if there is a whitepaper for this?
> >
> > Also, do you know if it is possible to setup restrictions so that the same
> > user would not be able to request and additional certificate? Once they
> > request a cert, then the second request would be denied?
> >
> > Thanks again for the posting of your links!
> >
> > "David Cross [MS]" wrote:
> >
> >> This paper may help you:
> >>
> >> Windows Server 2003 web enrollment and troubleshooting guide:
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> >>
> >>
> >> --
> >> David B. Cross [MS]
> >> --
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >>
> >> Top Whitepapers:
> >>
> >> Auto-enrollment whitepaper:
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> >>
> >> Best Practices for implementing Windows Server 2003 PKI:
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
> >>
> >> Troubleshooting Certificate Status and Revocation whitepaper:
> >> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
> >>
> >> Windows Server 2003 web enrollment and troubleshooting guide:
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> >> "RJ" <RJ@discussions.microsoft.com> wrote in message
> >> news:0B05E311-DA15-4B01-A9B1-E65FD46D4DDA@microsoft.com...
> >> > How do you create an RA in a DMZ on a non domain computer to send
> >> > certificate
> >> > requests to an internal issuing enterprise CA?
> >> >
> >> > Thanks,
> >> > RJ
> >>
> >>
> >>
>
>
>

RJ
Wed Apr 13 21:14:02 CDT 2005

David,

I have the web enrollment setup but I have run into a problem with the error,

No certificate templates could be found. You do not have permissions to
request a certificate from this CA, or an error occurred while accessing the
Active Directory.â??

I run into this error whether I use the advanced certifcate request page or
the auto enroll link. I have followed all troubleshooting steps in the
article and allowed all traffic between the proxy and the CA to flow without
restriction or NAT. Do you have any ideas what the problem might be?

Thanks,
RJ

"RJ" wrote:

> Thanks David, this is exactly what I needed.
>
> I had one question about this link and one additional question. The article
> says that the Web Enrollment pages "generally need to be installed" on a
> domain computer that is part of the same Active Directory Realm as the CA.
> This must mean that it could be installed in some scenario on a DMZ non
> domain computer? Do you happen to know if there is a whitepaper for this?
>
> Also, do you know if it is possible to setup restrictions so that the same
> user would not be able to request and additional certificate? Once they
> request a cert, then the second request would be denied?
>
> Thanks again for the posting of your links!
>
> "David Cross [MS]" wrote:
>
> > This paper may help you:
> >
> > Windows Server 2003 web enrollment and troubleshooting guide:
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> >
> >
> > --
> > David B. Cross [MS]
> > --
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> > Top Whitepapers:
> >
> > Auto-enrollment whitepaper:
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> >
> > Best Practices for implementing Windows Server 2003 PKI:
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
> >
> > Troubleshooting Certificate Status and Revocation whitepaper:
> > http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
> >
> > Windows Server 2003 web enrollment and troubleshooting guide:
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> > "RJ" <RJ@discussions.microsoft.com> wrote in message
> > news:0B05E311-DA15-4B01-A9B1-E65FD46D4DDA@microsoft.com...
> > > How do you create an RA in a DMZ on a non domain computer to send
> > > certificate
> > > requests to an internal issuing enterprise CA?
> > >
> > > Thanks,
> > > RJ
> >
> >
> >