Solved

Certificate Authority, CA, Windows 2008

Posted on 2014-03-27
7
387 Views
Last Modified: 2014-03-31
hi experts..

please help.
i want to set permission.
only selected people to access the certificate request page.
i checked in the manual, i see that the option is available only for enable and disable authentication in IIS.
i do not see where to link the users id.

Regards,
Skumar.
0
Comment
Question by:Skumar_CCSA
  • 4
  • 3
7 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39961084
What is your exact requirement ?

If you want to grant access certain users to request certificate, you need to control it through Certificate templates in active directory
Certificate templates are available only if you have AD integrated CA installed

Check below link for more information
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx
http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=7586FB54C3F4697EE3E64F75DDFD9042?externalId=KB27149&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Mahesh.
0
 

Author Comment

by:Skumar_CCSA
ID: 39961489
It is standalone Root CA.
No domain
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39961539
I think you have raised another question for same reason, I have posted my comment there to achieve this

If you set IIS rules,and if this server is in workgroup, then you can restrict web site use to local users only

The another way you could do that via restricting TCP port 80 and 443 towards web server via other network segments and this can be achieved through windows firewall rules on server itself or if you have any network firewall between computers and this server
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Skumar_CCSA
ID: 39961575
Wow.....I am getting more info...
Mahesh can you please help me in giving some links...
The server in domain enviornment, installed standalone Root CA.
Admins will request certificate through URL, issue certificate from CA, and export certificate from cert URL. ( Basically this has been setup for client authentication for non domain laptops.

For restriction.

I logged on windows.
Oped IIS, disabled anonyms access....Enabled Windows authentication, in the edit option I made it enhanced protection with the options of Require.
After doing this I see that when accessing URL from network PC, it ask for usetname and password....but it is not going through even I give the CA server local account.

In this scenario anything settings (either in firewall or IIS level)  that can help to protect the page, it must ask for username and password...and allow post success validation.

Please help ...
Thanks to help ...

Regards,
Skumar.
0
 

Author Comment

by:Skumar_CCSA
ID: 39962001
Hi Mahesh...

Pls help....
Regars,
Skumar
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39962976
Enable basic authentication role service in IIS and then disable windows authentication and anonymous authentication and enable basic authentication on server, default web site and certsrv virtual directory, then it will work by providing username and password

Also you need to directly edit NTFS permissions on IIS certsrv virtual directory, otherwise users who has entered ad username and password will get web page access
U may create AD group with all unwanted user members and provide them deny read permissions on Certsrv virtual directory

OR

You could install URL authorization in IIS role service and then deny permissions to above group from there
http://www.iis.net/configreference/system.webserver/security/authorization

Also you can \ may use windows firewall on certificate server as well to control from which machine can connect to web site

Mahesh
0
 

Author Comment

by:Skumar_CCSA
ID: 39968259
thank you so much
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to change Site name without affecting Exchange? 7 57
Cause of ransomware attack 13 107
FTP welcome message 7 37
Backup of system state (VMware) 19 79
OfficeMate Freezes on login or does not load after login credentials are input.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question