Solved

Use of certificates across different AD forests

Posted on 2009-07-16
2
2,128 Views
Last Modified: 2012-06-27
Hello,

Our company has just had a merger.  This means that we have 4 AD forests.  Forest1 has an AD integrated certificate server which is used for 802.1x authentication.  The other forests do not have a certificate server.  We are currently in the process for migrating everyone to Forest1, but in the meantime we need everyone is the other forests to be able to use forest1's certificates for authentication.  Would this be possible?  There are trusts between the domains, but we can't seem to get it working.  

Each time we browse to the certificate server to request a new certificate we get the following message:

Certificate Request Denied  

Your certificate request was denied.

Your Request Id is 13024. The disposition message is "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled. CN=XXXXX,CN=Users,DC=XXXXX,DC=XXX,DC=XXX ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'XXXXX.XXX.XXX' ".
Contact your administrator for further information.

Is there any way to enable Cross forest enrolment?  From what we have read you need windows 2008 server.  At the moment we only have 2003 server.  We would also like to do this without having to introduce new certificate servers to the domains.

Thanks for any help you can give
0
Comment
Question by:dccdesktop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24870367
Cross forest enrollment is going to be a new CA feature in 2008 R2, whenever that ends up being.  In my opinion, this is probably the biggest advancement in MS cert services since 2003 came out.  SCEP was nice, but this is a much bigger deal.

For now, you would need to create a local account in that domain and then issue the cert, export it including private key, and then install it on the end workstation.  At least one of your CDP locations will need to be accessible from the other workstations (for the root CA and any applicable subordinate CAs), which hopefully isn't too big of a deal.

Unless you are itchy enough to start testing on the beta and roll out a new subordinate CA for this purpose, that's about how it has to be for another year or so.

Here are a couple links about this upcoming feature:

http://blogs.technet.com/pki/

(big download)
http://download.microsoft.com/download/f/2/1/f2146213-4ac0-4c50-b69a-12428ff0b077/Windows_Vista_PKI_Enhancement_in_Windows_7_and_Windows_Server_2008_R2.pptx
0
 

Author Closing Comment

by:dccdesktop
ID: 31604147
Thanks. I had a feeling that 2008 was the only way to do what we wanted.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question