Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Published byPreston Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"— Presentation transcript:

1 Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

2 Module 2: Configuring AD CS Overview of PKI Deploying a CA Hierarchy Installing AD CS Managing CA

3 What Is PKI? Managing IDA and Enhancing Security by Using PKI Components of a PKI Solution Validating Certificates by Using PKI Solutions How AD CS Supports PKI Lesson 1: Overview of PKI

4 What Is PKI? A Public Key Infrastructure (PKI): Is the combination of software, encryption technologies, processes, and services that enable an organization to secure communication and business transactions Relies on the exchange of digital certificates between authenticated users and trusted resources Is the combination of software, encryption technologies, processes, and services that enable an organization to secure communication and business transactions Relies on the exchange of digital certificates between authenticated users and trusted resources PKI enhances infrastructure security by providing: Confidentiality Integrity Authenticity Nonrepudiation Confidentiality Integrity Authenticity Nonrepudiation

5 Discussion: Managing IDA and Enhancing Security by Using PKI What benefit would a PKI solution provide to your organization? Give a few examples of services that can use certificates to enhance security. How does PKI solution support IDA Management?

6 Components of a PKI Solution Certification Authority Digital Certificates Certificate Revocation Lists & Online Responders Certificate Templates Public-key Enabled Applications and Services Certificates and CA Management Tools AIA and CRL Distribution Points

7 Validating Certificates by Using PKI Solutions PKI-enabled applications use CryptoAPI to validate certificates. Certificate Discovery Path ValidationRevocation Checking

8 How AD CS Supports PKI CA AD CS CA Web Enrollment Online Responder Network Device Enrollment Service

9 Lesson 2: Deploying a CA Hierarchy Overview of CA Options for Implementing CA Types of CAs Stand-Alone vs Enterprise CAs Usage Scenarios in CA Hierarchy What Is a Cross-Certification Hierarchy?

10 Overview of CA Certification Authority Issues a Certificate for Itself Verifies the Identity of the Certificate Requestor Manages Certificate Revocation Issues Certificates to Users, Computers, and Services

11 Discussion: Options for Implementing CA What are the advantages and disadvantages of using an external public CA? What are the advantages and disadvantages of using an internal CA?

12 Types of CAs Is the most trusted type of CA in a PKI infrastructure Is a self-signed certificate Issues certificates to other subordinate CAs Possesses physical security and the certificate issuance policy that are typically more rigorous than subordinate CAs Root CA Is issued by another CA Addresses specific usage policies, organizational or geographical boundaries, load balancing, and fault tolerance Issues certificates to other CAs to form a hierarchical PKI infrastructure Subordinate CA

13 Stand-Alone vs. Enterprise CAs Stand-Alone CAsEnterprise CAs A stand-alone CA must be used if any CA (root or intermediate/ policy) is offline. This is because a stand-alone CA is not joined to an AD DS domain. Requires the use of Active Directory® Requires AD DS Can use Group Policy to propagate certificate to Trusted Root CA certificate store Users provide identifying information and specify type of certificate Publishes user certificates and CRLs to AD DS Does not require Certificate templates Issues certificates based upon a certificate template All certificate requests kept pending till administrator approval Supports autoenrollment for issuing certificates

14 Usage Scenarios in CA Hierarchy Root Subordinate RASEFSS/MIME IndiaCanadaUSA Root Subordinate Root Subordinate Root Subordinate ManufacturingEngineering Accounting Employee Contractor Partner Certificate Use Location Departments Organizational Unit

15 What Is a Cross-Certification Hierarchy? Root CA Organization 1 Organization 2 Subordinate CA Root CA Organization 1 Organization 2 Subordinate CA Cross-certification at the root CA level Cross-certification subordinate CA to root CA

16 Lesson 3: Installing AD CS Considerations for Installing Root CA How To Install AD CS as Root CA Installing Subordinate CA How CAPolicy.inf File Is Used for Installation Overview of CA Administration Console

17 Considerations for Installing Root CA Computer Name and Domain Membership Name and Configuration Private Key Configuration Validity Period Certificate Database and Log Location CSP Default: 2048 Key Character Length Hash Algorithm Certificate # Planning a Root CA

18 Demonstration: How To Install AD CS as a Root CA To install the AD CS server role as an Enterprise Root CA

19 Considerations for Installing a Subordinate CA Computer Name and Domain Membership Name and Configuration Private Key Configuration Validity Period Certificate Database and Log Location Request Certificate for Subordinate CA CSP Default: 2048 Key Character Length Hash Algorithm Certificate # Planning a Root CA

20 How CAPolicy.inf File Is Used for Installation The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA. This file defines: Certification Practice Statement (CPS) Object Identifier (OID) CRL Publication Intervals CA Renewal Settings Key Size Certificate Validity Period CDP and AIA Paths

21 Demonstration: Overview of the CA Administration Console To open the CA administrative console and review the available options

22 Lesson 4: Managing a CA What Are CRLs? How CRLs Are Published Where to Publish AIAs and CDPs? Configuring AIA and CRL Availability

23 What Are CRLs? Delta CRLs Client computer using Windows XP® or Windows Server® 2003 Base CRLs All revoked certificates Greater publication interval Last base CRL certificate Lesser publication interval + - Large size Small size Client computer using any version of Windows®

24 How CRLs Are Published Cert3 Base CRL# 1 Revoke Cert5 Delta CRL# 2 Cert5 Revoke Cert7 Cert5 Cert7 Delta CRL# 3 Cert3 Cert5 Cert7 Time Base CRL# 2

25 Where to Publish AIAs and CDPs Offline Root CA Publish the root certificate CA and URL to: Active Directory® Web servers FTP servers File servers Internet Firewall External Web Server Active Directory® FTP Server Internal Web Server File Server

26 Demonstration: How To Configure AIA and CRL Availability To configure AIA and CDP settings To publish the latest version of the CRL To publish the CRL and CA certificate for the offline root CA to an HTTP location To view the CRL To publish the CRL and CA certificate to Active Directory®

27 Lab 2: Configuring AD CS Exercise 1: Installing the AD CS Server Role Exercise 2: Issuing and Installing a Subordinate Certificate Exercise 3: Publishing the CRL Logon information Virtual machine 6426A-NYC-DC1 6426A-NYC-SVR1 User nameAdministrator Password Pa$$w0rd Estimated time: 40 minutes

Download ppt "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"

Similar presentations

Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Implementing and Administering AD FS

Implementing and Administering AD FS
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 6: Configuring AD RMS

Module 6: Configuring AD RMS
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Senior Technical Writer

Senior Technical Writer
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Similar presentations

Ads by Google