1 / 30

Certificate Enrollment Across Boundaries

SIM329. Certificate Enrollment Across Boundaries. Rashmi Jha Program Manager Microsoft Corporation. Session Agenda. Introduce the Certificate Enrollment Web Services CEP (Certificate Enrollment Policy Web Service) CES (Certificate Enrollment Web Service) CES/CEP Deployment Scenarios

sorcha
Download Presentation

Certificate Enrollment Across Boundaries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIM329 Certificate Enrollment Across Boundaries Rashmi Jha Program Manager Microsoft Corporation

  2. Session Agenda • Introduce the Certificate Enrollment Web Services • CEP (Certificate Enrollment Policy Web Service) • CES (Certificate Enrollment Web Service) • CES/CEP Deployment Scenarios • Designing a Certificate Enrollment Web Services Infrastructure • CES/CEP Installation Requirements • Understand Network Device Enrollment Service (NDES)

  3. Pre-requisites • General understanding of PKI • General understanding of Windows Server 2008 Active Directory Certificate Services (ADCS)

  4. PKI Challenges in Enterprises • Extranet Requirements • Mobile and remote workers are not always on the corporate network • Managing non-domain joined machines • Employee home machines • Non-domain workstations and servers • PKI Complexity • As more complex the AD deployment, the more complex the PKI becomes (Multiple forests/Multiple CAs)

  5. Certificate Enrollment Without CEP/CES 1 LDAP LDAP Active Directory 2 4 3 Client Workstations RPC/DCOM RPC/DCOM Certificate Authority

  6. PKI Challenges in EnterprisesHow do we solve? Two web enrollment role services in Windows 2008 R2 enable certificate policy retrieval and certificate enrollment over HTTPS • Certificate Enrollment Policy Web Service (CEP) • Certificate Enrollment Web Service (CES)

  7. Certificate Enrollment With CEP/CES HTTPS Only 2 LDAP LDAP Retrieve Policies 1 Active Directory Certificate Enrollment Policy Web Service (CEP) Policies 7 3 8 6 5 Certificate Client Workstations Configured with Certificate Enrollment Policy (Windows 7 & 2008R2 Only) Certificate Request RPC/DCOM RPC/DCOM Certificate Enrollment Web Service (CES) Certificate Authority 4

  8. Deployment Scenarios • Single Forest • Forest Consolidation • Allows organizations with multiple forests to consolidate their PKI by eliminating the requirement for per-forest CA deployments • Extranet • Allows users and computers outside the corporate network (internet) to enroll for certificates • Renewal-Only Mode • Allow certificates to be renewed only (no enrollment) over Internet

  9. Designing a Certificate Enrollment Web Services Infrastructure • Firewall Configuration • Delegation (Certificate Enrollment Web Service Account) • Selecting Service Accounts • Selecting Authentication Methods

  10. Firewall Configuration

  11. Delegation • Delegation (Certificate Enrollment Web Service Account) • Delegation is required if … • CA is not on the same computer as the CES • CES required to process full enrollment requests, not just renewal requests • The authentication type is Kerberos or Certificate Authentication • Delegation is not required if … • CA and CES are on the same computer • The authentication type is Username and Password • CES is configured as Renewal-only mode

  12. Selecting Service Account • Both CEP & CES must run as either a domain user or application pool ID • Local users are not supported • Managed Service Accounts may be used • CES service account must be a member of the local IIS_IUSRS group • CES service account must have Request Certificates permission on the CA

  13. Selecting Authentication Methods • Windows Integrated Authentication • Client Certificate Authentication • Username and Password • Anonymous authentication to the web services is not supported

  14. Installation Requirements • Windows Server 2008 R2 • Domain joined machine • Does not work with a Stand-alone CA • AD Forest must have Windows Server 2008 R2 Schema • Co-exist with the CA, Web Enrollment, OCSP and NDES Roles • Clients must be Windows 7 or Windows Server 2008 R2 • A valid SSL certificate in the local computer store • Enterprise Admin privileges required for the installation

  15. CEP/CES Configuration &Enrollment using CEP/CES Sunil Kondapally Senior Software Development Engineer Active Directory Certificate Services demo

  16. Network Device Enrollment Service (NDES)

  17. Overview • NDES Enrollment Process • Understanding NDES Components • New Features • Entities Involved

  18. NDES Enrollment Process 6 7 3 1 4 5 2A 2B Send RA Request to CA Return Certificate To Device CA Issues Certificate Send Request Set Password Create Key Check Permissions Request Password Device Device Device Key Administrator Administrator Active Directory NDES CA NDES CA NDES Device

  19. Understanding NDES Components • Virtual Directories • http://localhost/certsrv/mscep • http://localhost/certsrv/mscep_admin • Password • Service Certificates

  20. New Features • UseSinglePassword Mode • Renewal without administrator interaction • Download updates • Windows 2008 Server • http://support.microsoft.com/kb/959193 • Windows 2008 Server R2 • http://support.microsoft.com/kb/2483564

  21. Entities involved • NDES Administrator • Account used to install the NDES Role on member server • NDES Service Account • Account used by NDES Application Pool • Device Administrator • Account used to manage the devices

  22. NDES Enrollment Sunil Kondapally Senior Software Development Engineer Active Directory Certificate Services demo

  23. Related Content Certificate Enrollment Web Services http://www.microsoft.com/downloads/en/details.aspx?FamilyID=28B910F8-6374-48DD-A897-11FFF62AB795 NDES http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=e11780de-819f-40d7-8b8e-10845bc8d446&displayLang=en http://tools.ietf.org/html/draft-nourse-scep-22 How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/kb/154596

  24. Track Resources Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/

  25. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  26. Complete an evaluation on CommNet and enter to win!

  27. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related