Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Published byEdwin Milo Hardy Modified over 9 years ago

Similar presentations

Presentation on theme: "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"— Presentation transcript:

1 Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

2 Module 3: Deploying and Managing Certificates Deploying Certificates by Using AD CS Deploying Certificates by Using Autoenrollment Revoking Certificates Configuring Certificate Templates Configuring Certificate Recovery

3 Lesson 1: Deploying Certificates by Using AD CS What Is a Digital Certificate? Overview of Certificate Life Cycle Certificate Enrollment Methods Obtaining Certificates by Using Web Enrollment Obtaining Certificates by Using Manual Enrollment How To Manually Obtain a Certificate for a Web Service What Is NDES?

4 What Is a Digital Certificate? Public Cryptographic Key Subject Information CA Information Digital Certificate

5 Overview of Certificate Life Cycle A user, computer, or service requests a certificate from a CA. 1 1 The CA generates a certificate. 2 2 The CA distributes the certificate to the user, computer, or service. 3 3 The certificate is used with PKI-enabled applications. 4 4 The certificate reaches at the end of its lifetime. 5 5 The certificate is expired, renewed, or revoked. 6 6

6 Certificate Enrollment Methods MethodUse To automate the request, retrieval, and storage of certificates for domain-based computers To request certificates by using the Certificates console or Certreq.exe, when the requestor cannot communicate directly with the CA To request certificates from a Web site located on a CA To issue certificates when autoenrollment is not available To provide a CA administrator the right to request certificates on behalf of another user Web Enrollment Manual Enrollment Autoenrollment Enrollment Agents

7 Obtaining Certificates by Using Web Enrollment Connect to http://ServerName/certsrv by using a Web browser. Click Request a certificate. Select the type of certificate that you want to request. Type or verify your identification. Install the certificate. 2 2 3 3 1 1 5 5 4 4

8 Obtaining Certificates by Using Manual Enrollment Certificates MMC Web Server NDES Manual Enrollment

9 Demonstration: How To Manually Obtain a Certificate for a Web Service To use IIS and perform Web site enrollment by using one of the manual enrollment methods

10 What Is NDES? CA Network Router Network NDES: Uses simple certificate enrollment protocol to communicate with compatible network devices such as routers and switches Functions as an Active Directory® Certificate Services Role Service Requires Internet Information Services

11 Lesson 2: Deploying Certificates by Using Autoenrollment Benefits and Uses of Autoenrollment Functioning of Autoenrollment

12 Discussion: Benefits and Uses of Autoenrollment How can autoenrollment simplify certificate management in your organization? What are the examples of applications that can benefit from autoenrollment?

13 Functioning of Autoenrollment A certificate template is configured to allow, enroll, and autoenroll permissions for users who receive the certificates. The client machine receives the certificates during the next Group Policy refresh interval. An Active Directory® Group Policy Object (GPO) is created to enable autoenrollment. The GPO is linked to the appropriate site, domain, or organizational unit. The CA is configured to issue the template. Certificate Template Certificate Authority GPO Client Machine

14 Lesson 3: Revoking Certificates Reason Codes for Revoking a Certificate How To Revoke a Certificate What Is an Online Responder? How Online Responders Work Steps to Configure an Online Responder How To Configure an Online Responder

15 Reason Codes for Revoking a Certificate Reason Code Description Key Compromise A computer is stolen or a smart card is lost. CA Compromise A CA certificate is compromised. Challenge of Affiliation An employee is terminated or suspended. Superseded An issued certificate is replaced. Cease of Operation A smart card has failed or the legal name of a user has changed. Certificate Hold A certificate is put on hold temporarily. Unspecified A certificate is revoked without providing a reason.

16 Demonstration: How To Revoke a Certificate To revoke a certificate that has been issued previously

17 What Is an Online Responder? Uses Online Certificate Status Protocol validation and revocation checking using HTTP Receives and responds dynamically to individual requests Supports only Windows Server® 2008 and Windows Vista® computers Functions as a responder to multiple CAs Online Responder

18 How Online Responders Work An application verifies a certificate that contains locations to OCSP responders. The Online Responder receives a request through HTTP, if a cached OCSP response is not found. The Online Responder Web proxy component decodes and verifies the request. The Online Responder takes the request and checks a local CRL. The Web proxy encodes and sends the response back to the client.

19 Steps to Configure an Online Responder Install the Online Responder role service Configure the CA Create a Revocation Configuration Stop Start

20 Demonstration: How To Configure an Online Responder To configure the CA to support the Online Responder To install and configure the Online Responder role service

21 Lesson 4: Configuring Certificate Templates What Are Certificate Templates? Certificate Template Versions Certificate Template Categories and Purposes Configuring Certificate Template Permissions Methods for Updating a Certificate Template How To Modify and Enable a Certificate Template

22 What Are Certificate Templates? Format and contents of a certificate Process of creating and submitting a valid certificate request Security principles that are allowed to read, enroll, or autoenroll for a certificate Permissions to read, enroll, autoenroll, or modify a certificate template Certificate templates define the:

23 Certificate Template Versions Provided for backward compatibility Created by default when a CA is installed Cannot be modified or removed but can be duplicated to become Version 2 or 3 templates Version 1: Allows customization of most settings in the template Several preconfigured templates are provided when a CA is installed Version 2: Supports advanced Suite B cryptographic settings Includes advanced options for encryption, digital signatures, key exchange, and hashing Only supports Windows Server® 2008 and Windows Vista® Version 3:

24 Certificate Template Categories and Purposes CategorySingle PurposeMultiple Purpose Users Computers Basic EFS Authenticated Session Smart Card Logon Administrator User Smart Card User Web Server IPSec Computer Domain Controller

25 Configuring Certificate Template Permissions PermissionDescription Allows a security principle to modify all attributes Allows a security principle to find the certificate in Active Directory® when enrolling Allows a security principle to modify all the attributes except permissions Allows a security principle to enroll for a certificate based on the certificate template Allows a security principle to receive a certificate through the autoenrollment process Full Control Write Enroll Autoenrollment Read

26 Methods for Updating a Certificate Template Modify the original certificate template to incorporate the new settings. Updated Modifying Replace one or more certificate templates with an updated certificate template. Superseding Smart Card Smart Cards Two-Factor Original

27 Demonstration: How To Modify and Enable a Certificate Template To create, modify, and supersede a template To issue a certificate to be used by a CA

28 Lesson 5: Configuring Certificate Recovery Importance of Key Archival and Recovery Manually Exporting Certificates and Private Keys Configuring Automatic Key Archival How To Configure Key Archival Recovering a Lost Key How To Recover a lost key

29 Importance of Key Archival and Recovery User profile is deleted Operating system is reinstalled Disk is corrupted Computer is stolen Keys get lost when: Data recovery methods that use: Key archival and key recovery agents Manual key archival and recovery

30 Manually Exporting Certificates and Private Keys You can use the following to export certificates: Certificates MMC snap-in Certification Authority MMC snap-in Certutil.exe Outlook® Internet Explorer® The tool used depends upon the certificate template upon which the certificate is based.

31 Configuring Automatic Key Archival Configure and issue the Key Recovery Agent certificate template. To configure automatic key archival: Designate a person as the Key Recovery Agent and enroll for the certificate. Enable Key Archival on the CA. Modify and enable required certificate templates for key archival.

32 Demonstration: How To Configure Key Archival To configure and issue the Key Recovery Agent certificate template To designate a person to be the Key Recovery Agent and enroll for the certificate To enable Key Archival on the CA To modify and enable required certificate templates for Key Archival

33 Recovering a Lost Key The certificate manager finds the serial number of the certificate. 2 2 The private key is lost or corrupted. 1 1 The certificate manager extracts the number PKCS#7 from the CA. 3 3 The user imports the private key. 6 6 The KRA recovers the private key. 5 5 The certificate manager transfers the number PKCS #7 to the KRA. 4 4 Serial #: 00AD036 PKCS#7

34 Demonstration: How To Recover a Lost key To recover an archived certificate and a key from an Active Directory®

35 Lab 3: Deploying and Managing Certificates Exercise 1: Configuring AD CS Web Enrollment Exercise 2: Configuring Certificate Autoenrollment Exercise 3: Configuring AD CS Certificate Revocation Exercise 4: Configuring AD CS Certificate Templates Exercise 5: Managing Key Archival and Recovery Logon information Virtual machine 6426A-NYC-DC1-B User nameAdministrator Password Pa$$w0rd Estimated time: 110 minutes

36 Lab Review: Deploying and Managing Certificates In this lab, you have: Exercise 1: Configured AD CS Web Enrollment Exercise 2: Configured Certificate Autoenrollment Exercise 3: Configured AD CS Certificate Revocation Exercise 4: Configured AD CS Certificate Templates Exercise 5: Managed Key Archival and Recovery

Download ppt "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"

Similar presentations

Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.

Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Senior Technical Writer

Senior Technical Writer
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.

Similar presentations

Ads by Google