Storing User Certificates in Active Directory

TheMSsForum.com: The Microsoft Software Forum

I need some help figuring out how to go about setting up
the server and active directory to handle this problem.

I have a secure website that distributes certificates for
users to use to access their website. There are 3000+
users on our network and maybe a few hundred of these
users will be needing access the website. Is there a way
to store the certificates in Active Directory? I'm trying
to centralize this as much as possible.

Thanks for the help

Sean
.
Top

Re: Storing User Certificates in Active Directory by anonymous

anonymous
Mon Jan 26 10:07:11 CST 2004

In short, we were using mandatory roaming profiles. In
Windows XP, you cannot use certificates and mandatory
profiles. So, instead of using mandatory profiles, I was
going to, at least try to, set up a lockdown destop and
user configuration using GPO's. And in this way,
everything is centralized, so if something does happen
with the profile, the certificate is still in tact.

Does that make sense? If you have any suggestions, please
let me know.

Sean


>-----Original Message-----
>In article <3fe501c3e420$9e60b450$a301280a@phx.gbl>, in
the
>microsoft.public.security news group, Sean Mc.
><anonymous@discussions.microsoft.com> says...
>
>> I need some help figuring out how to go about setting
up
>> the server and active directory to handle this problem.
>>
>> I have a secure website that distributes certificates
for
>> users to use to access their website. There are 3000+
>> users on our network and maybe a few hundred of these
>> users will be needing access the website. Is there a
way
>> to store the certificates in Active Directory? I'm
trying
>> to centralize this as much as possible.
>
>Why do you feel the need to store these certs in AD? The
short answer to
>your question is yes, absolutely. As long as the template
that the
>certificate is based upon is configured to do so, then
the certs will be
>stored in AD.
>Lots of information here - HTTP://www.microsoft.com/pki
>
>--
>Paul Adare
>Moral indignation is jealousy with a halo.
>H. G. Wells, The Wife of Sir Isaac Harman
>.
>
Top

Re: Storing User Certificates in Active Directory by Krish

Krish
Mon Jan 26 11:25:38 CST 2004

For a Win2k CA it publishes the User certificate to AD by default. You can
configure any template to publish to AD for a Win2k3 CA.
However publishing the certificate to AD will not save the private key in
AD. The private key will be on the machine and can be lost. You would have
to use the key archival and recovery functionality in Win2k3 CA to be able
to recover private keys

--
Krish Shenoy[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
<anonymous@discussions.microsoft.com> wrote in message
news:4a7d01c3e426$74e300f0$a601280a@phx.gbl...
> In short, we were using mandatory roaming profiles. In
> Windows XP, you cannot use certificates and mandatory
> profiles. So, instead of using mandatory profiles, I was
> going to, at least try to, set up a lockdown destop and
> user configuration using GPO's. And in this way,
> everything is centralized, so if something does happen
> with the profile, the certificate is still in tact.
>
> Does that make sense? If you have any suggestions, please
> let me know.
>
> Sean
>
>
> >-----Original Message-----
> >In article <3fe501c3e420$9e60b450$a301280a@phx.gbl>, in
> the
> >microsoft.public.security news group, Sean Mc.
> ><anonymous@discussions.microsoft.com> says...
> >
> >> I need some help figuring out how to go about setting
> up
> >> the server and active directory to handle this problem.
> >>
> >> I have a secure website that distributes certificates
> for
> >> users to use to access their website. There are 3000+
> >> users on our network and maybe a few hundred of these
> >> users will be needing access the website. Is there a
> way
> >> to store the certificates in Active Directory? I'm
> trying
> >> to centralize this as much as possible.
> >
> >Why do you feel the need to store these certs in AD? The
> short answer to
> >your question is yes, absolutely. As long as the template
> that the
> >certificate is based upon is configured to do so, then
> the certs will be
> >stored in AD.
> >Lots of information here - HTTP://www.microsoft.com/pki
> >
> >--
> >Paul Adare
> >Moral indignation is jealousy with a halo.
> >H. G. Wells, The Wife of Sir Isaac Harman
> >.
> >


Top

Re: Storing User Certificates in Active Directory by anonymous

anonymous
Tue Jan 27 06:54:33 CST 2004

Is there any documentation on how to do this or where I
can read about this.

>-----Original Message-----
>For a Win2k CA it publishes the User certificate to AD by
default. You can
>configure any template to publish to AD for a Win2k3 CA.
>However publishing the certificate to AD will not save
the private key in
>AD. The private key will be on the machine and can be
lost. You would have
>to use the key archival and recovery functionality in
Win2k3 CA to be able
>to recover private keys
>
>--
>Krish Shenoy[MSFT]
>This posting is provided "AS IS" with no warranties, and
confers no rights.
><anonymous@discussions.microsoft.com> wrote in message
>news:4a7d01c3e426$74e300f0$a601280a@phx.gbl...
>> In short, we were using mandatory roaming profiles. In
>> Windows XP, you cannot use certificates and mandatory
>> profiles. So, instead of using mandatory profiles, I
was
>> going to, at least try to, set up a lockdown destop and
>> user configuration using GPO's. And in this way,
>> everything is centralized, so if something does happen
>> with the profile, the certificate is still in tact.
>>
>> Does that make sense? If you have any suggestions,
please
>> let me know.
>>
>> Sean
>>
>>
>> >-----Original Message-----
>> >In article <3fe501c3e420$9e60b450$a301280a@phx.gbl>, in
>> the
>> >microsoft.public.security news group, Sean Mc.
>> ><anonymous@discussions.microsoft.com> says...
>> >
>> >> I need some help figuring out how to go about setting
>> up
>> >> the server and active directory to handle this
problem.
>> >>
>> >> I have a secure website that distributes certificates
>> for
>> >> users to use to access their website. There are
3000+
>> >> users on our network and maybe a few hundred of these
>> >> users will be needing access the website. Is there a
>> way
>> >> to store the certificates in Active Directory? I'm
>> trying
>> >> to centralize this as much as possible.
>> >
>> >Why do you feel the need to store these certs in AD?
The
>> short answer to
>> >your question is yes, absolutely. As long as the
template
>> that the
>> >certificate is based upon is configured to do so, then
>> the certs will be
>> >stored in AD.
>> >Lots of information here - HTTP://www.microsoft.com/pki
>> >
>> >--
>> >Paul Adare
>> >Moral indignation is jealousy with a halo.
>> >H. G. Wells, The Wife of Sir Isaac Harman
>> >.
>> >
>
>
>.
>
Top