Re: Deploying Certificates Through Group Policy
- From: v-branee@xxxxxxxxxxxxxxxxxxxx ("Brandy Nee [MSFT]")
- Date: Fri, 02 Dec 2005 02:27:51 GMT
Hello John,
Thank you for posting back!
I am sorry that I was ill these days so my colleague Nathan was my backup.
I understand that you have tight time schedule, so please take your time to
perform the steps. From the error information you have applied in the
previous reply, it indicated that most of the possibility this is a
Networking issue. The information I required is very important for us to
troubleshoot your issue, so please take your time to perform the steps and
collect the log files for us to continue troubleshooting. If you have any
updates, please feel free to let me know. I am always standing by and
looking forward to hearing from you!
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "John Sockwell" <spam001(at)plasticcircus(dot)com>
>References: <Oe3$F1tvFHA.1032@xxxxxxxxxxxxxxxxxxxx>
<5#vAPgyvFHA.780@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: Deploying Certificates Through Group Policy
>Date: Thu, 22 Sep 2005 01:09:50 -0700
>Lines: 183
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <#VTPD00vFHA.2348@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: user-v8lmf6j.cable.mindspring.com 209.91.60.211
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155490
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I can follow you up to step 8.
>
>after i select computer certificate instead of being asked to select a CA
>i'm told the automatic request wizard was sucessful and shows me an empty
>box where my settings should be.
>
>""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:5%23vAPgyvFHA.780@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hello John,
>>
>> Thank you for posting to the SBS Newsgroup.
>>
>> I understand that you created Automatic Certificate Request by Group
>> Policy, but it seems that does not being assigned to domain client
>> workstations. If I have misunderstood your concern, please let me know.
>>
>> First of all, please make sure you have met all the Requirements and
>> followed all the steps below to create automatic certificate requests
with
>> group policy. My reply is a bit of long, so please take your time to read
>> through it first and then perform the steps:
>>
>> 1> SUMMARY:
>>
>> Windows 2000-based and Windows XP-based computers that are members of an
>> Active Directory domain can automatically be assigned certificates by
>> using
>> a group policy. The process of requesting, receiving and installing a
>> certificate is known as certificate enrollment. You can configure all
>> computers in a domain or organizational unit to automatically enroll for
>> certificates. This can save the administrator a great amount of time by
>> eliminating the need to manually assign certificates to all computers in
a
>> domain or organizational unit.
>>
>> 2> Requirements:
>>
>> Before you create an automatic certificate request, you must know the
>> following:
>>
>> - The type of certificate you want computers to enroll for automatically.
>>
>> - The certification authority (CA) that will issue the certificate.
>>
>> Computer-related certificates include computer certificates, IPSec
>> certificates, and Web server certificates. The certification authority
you
>> use will be able to issue certificates of different types and purposes.
>>
>> You must have administrative privileges to establish an automatic
>> certificate request enrollment policy. Automatic certificate requests
will
>> work only with certification authorities that are running the enterprise
>> policy module. The enterprise CA must contain the certificate template
you
>> want to assign. For example, if you want to automatically assign an IPSec
>> certificate, the IPSec certificate template must be installed on the CA.
>>
>> 3> Install a Certificate Template:
>>
>> Use the following steps to install a certificate template, and note that
>> these steps must be performed on an enterprise CA in the Active Directory
>> domain:
>>
>> 1. Click Start, point to Programs, point to Administrative Tools, and
then
>> click Certificate Authority.
>>
>> 2. In the Certification Authority console, expand your domain name,
>> right-click the Policy Settings node in the left pane, point to New, and
>> then click Certificate to Issue.
>>
>> 3. In the Select Certificate Template dialog box, click the certificate
>> template you require. In this example, click the IPSEC certificate, and
>> then click OK.
>>
>> 4. Quit the Certification Authority console.
>>
>> 4> Configure the Automatic Certificate Request Policy:
>>
>> Use the following steps to configure an automatic certificate request
>> policy that allows automatic enrollment for domain computers:
>>
>> 1. Click Start, point to Programs, point to Administrative Tools, and
then
>> click Active Directory Users and Computers.
>>
>> 2. In the Active Directory Users and Computers console, right-click your
>> domain name, and then click Properties.
>>
>> 3. Click the Group Policy tab, click a domain group policy object, and
>> then
>> click Edit.
>>
>> 4. In the Group Policy console, expand the Computer Configuration node,
>> expand the Windows Settings node, expand the Security Settings node, and
>> then expand the Public Key Policies node.
>>
>> 5. Right-click the Automatic Certificate Request Settings node, point to
>> New, and then click Automatic Certificate Request.
>>
>> 6. When the Automatic CertificateRequest Setup Wizard starts, click Next.
>>
>> 7. On the Certificate Template page, click the template you require. In
>> this example, click the IPSEC template, and then click Next.
>>
>> 8. On the Certificate Authority page, select the enterprise CA for your
>> domain by placing a checkmark in the check box to the left of the CA.
>> Click
>> Next.
>>
>> 9. On the Completing the Automatic Certificate Request Setup page, click
>> Finish. The new certificate is automatically requested the next time the
>> user logs on or the next time the domain Group Policy is refreshed. The
>> certificate will be installed on new computers when they join the domain.
>>
>> Hope this information helps. If anything is unclear, please feel free to
>> let me know. I am looking forward to hearing from you!
>>
>>
>> Best regards,
>>
>> Brandy Nee
>>
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
.
- Prev by Date: Re: send mail after post
- Next by Date: RE: Sharepoint Services - Missing Document Issue
- Previous by thread: Re: send mail after post
- Next by thread: SBS 2003 lost connection to Internet
- Index(es):
Relevant Pages
|
