By default, Enterprise Administrator can duplicate all certificate templates. To delegate duplication of all certificate templates, we need to modify the settings of Active Directory.
Lab environment
Host name: DC01.adcslab.local
Roles: Domain Controller and DNS server of adcslab.local
Operating System: Windows Server 2008 R2
Host name: DC02.corp.adcslab.local
Roles: Domain Controller and DNS server of corp.adcslab.local
Operating System: Windows Server 2008 R2
Host name: CS01.corp.adcslab.local
Roles: member server of corp.adcslab.local and AD CS
Operating System: Windows Server 2008 Enterprise x64 edition
CA environment:
1 CA server, CS01.corp.adcslab.local, with ADCSLAB root CA
Goal
Assign right to Terry, which is a user of corp.adcslab.local, to manage all certificate templates.
Configuring Manage CA permissions
By default, Enterprise Admins, Domain Admins and local administrators group of AD CS server can manage "Certification Authority". Now, I will grant the permission for Terry, is a user of corp.adcslab.local, to manage CA.
1. On CS01, log in as corp.adcslab.local Administrator.
2. Launch "Certification Authority".
3. Right-click "ADCSLAB Root CA", select "Properties".
4. On "ADCSLAB Root CA Properties" window, select "Security" tab.
5. On "Security" tab, click "Add".
6. On "Select Users, Computers, or Groups" window, enter "Terry".
7. Click "OK".
8. Next to "Permissions for Terry", check "Allow - Issue and Manage Certificates" and "Allow - Manage CA".
9. Click "OK".
Remark: In production environment, we should grant the permissions to a global or universal group that contains users for managing CA.
Test result
1. On CS01, log in as Terry.
2. Launch "Certification Authority".
3. Expand "ADCSLAB Root CA > Certificate Templates".
4. On right pane, right-click "Basic EFS" and then select "Delete".
5. On "Disable certificate templates" window, click "Yes".
As a result, Terry can manage ADCSLAB Root CA.
Delegate duplication of all certificate templates
1. On DC01, log in as adcslab.local Administrator.
2. Click "Start", enter "adsiedit.msc" to launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connect to".
4. On "Connection Settings" window, next to "Select a well known Naming Context", select "Configuration".
5. Click "OK".
Remark: Make sure you connected to "Configuration" of Forest Root Domain.
6. Expand "Configuration > CN=Configuration,DC=adcslab,DC=local > CN=Services > CN=Public Key Services".
7. On central pane, right-click "CN=Certificate Templates", select "Properties".
8. On "CN=Certificate Templates Properties" tab, click "Security" tab.
9. Click "Add".
10. On "Select Users, Computers, or Groups" window, click "Locations".
11. On "Locations" window, select "corp.adcslab.local".
12. Click "OK".
13. Next to "Enter the object names to select (examples)", enter "Terry".
14. Click "OK".
15. Next to "Permissions for Terry", check "Allow - Full control".
16. Click "OK".
17. On central pane, right-click "CN=OID", select "Properties".
18. On "CN=OID Properties" tab, click "Security" tab.
19. Click "Add".
20. On "Select Users, Computers, or Groups" window, click "Locations".
21. On "Locations" window, select "corp.adcslab.local".
22. Click "OK".
23. Next to "Enter the object names to select (examples)", enter "Terry" and then click "OK".
24. Next to "Permissions for Terry", check "Allow - Full control".
25. Click "OK".
26. Close "ADSI Edit".
Remark: In production environment, we should grant the permissions to a global or universal group that contains users for "Certificate Templates" and "OID".
Test result
1. On CS01, log in as corp.adcslab.local Administrator.
2. Click "Start", enter "certtmpl.msc" to launch Certificate Templates Console.
3. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".
4. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".
CORP.ADCSLAB.LOCAL administrator could not duplicate the certificate template because we haven't granted permission for CORP.ADCSLAB.LOCAL administrator.
5. Click "OK".
6. Log off corp.adcslab.local Administrator.
7. Log in as Terry
8. Launch "Certificate Templates".
9. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".
10. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".
11. On "General" tab of "Properties of New Template" window, next to "Template display name" and then enter "ADCSLAB Computer".
12. Click "OK".
As a result, Terry can duplicate the computer certificate template.
Reference:
This posting is provided “AS IS” with no warranties, and confers no rights!
No comments:
Post a Comment