Auto connexion Index du Forum
Auto connexion
Voici un forum où on parlera de tout !
 
Auto connexion Index du ForumFAQRechercherS’enregistrerConnexion



 Bienvenue Invité sur Auto Connexion ! 
Voici le lien du nouveau forum :  
http://worldtoall.xooit.fr
:: Issues giving Domain Controllers group rights to enroll? ::

 
Poster un nouveau sujet   Répondre au sujet    Auto connexion Index du Forum -> Loisirs -> Informatique
Sujet précédent :: Sujet suivant  
Auteur Message
ClintBarton
Membre
Membre

Hors ligne

Inscrit le: 30 Mai 2018
Messages: 10
Sexe: Masculin
Point(s): 16
Moyenne de points: 1,60

MessagePosté le: Jeu 7 Juin - 06:44 (2018)    Sujet du message: Issues giving Domain Controllers group rights to enroll? Répondre en citant

Hello,


As a bit of background, all our systems are configured to auto-enroll certificates and we are using the built-in V1 certicates for our system, so specifically the Computer and Domain Controller certificate templates.I want to use the PKI management pack in SCOM to alert for expiring certificates. When I tried it in our lab I found a lot of false positives however, largely from our domain controllers and the Computer certificate being listed as expiring/expired. When I looked into it the issue became clear. When the server was first built, it was a member server and upon joining the domain, got a Computer certificate from our CA. After it was promoted to a domain controller it requested and received a Domain Controller certificate. The Computer certificate is only valid for a year so ~11.5 months after being promoted to a DC and the Computer certificate is about to expire the domain controller does not/cannot renew it because the template by default is restricted to the Domain Computers group. I'll be honest, I'm not positive this last step is what's happening, it's an assumption on my part that Windows doesn't have anything specifically built-in about the certificate template it's requesting and is merely requesting cert(s) from the Enterprise CA and enrolling for all certificates it has permissions to, and the Computer template is restricted with Enroll permissions to Domain Computers group and Domain Controller template is restricted with Enroll permissions to Domain Controllers group and that's why the Computer certificate doesn't renew. If someone knows otherwise, I'd love to know specifically what it's doing. Regardless, I can't find a way to override the PKI management pack rules for a specific certificate template and it brings a lot to the table, namely certificate expiration notices, so I don't want to just scrap the idea of using it so I got to thinking, why not adjust the permissions so Domain Controllers can enroll for the Computer certificate, thus allowing it to renew the Computer certificate and stop SCOM from freaking out. I'm assuming this shouldn't be an issue since a DC has both certificates for the first year it's a domain controller, and then both (with the Computer certificate expired) after that first year and it keeps on ticking without issue, but figured I'd throw it out to the crowd here for any thoughts about this.


Please help


I didn't find the right solution from the internet.


References:
https://arstechnica.com/civis/viewtopic.php?f=17&t=1110744
Creative video production company


Thank you
Revenir en haut
Publicité






MessagePosté le: Jeu 7 Juin - 06:44 (2018)    Sujet du message: Publicité

PublicitéSupprimer les publicités ?
Revenir en haut
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet    Auto connexion Index du Forum -> Loisirs -> Informatique Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  

Index | Creer un forum | Forum gratuit d’entraide | Annuaire des forums gratuits | Signaler une violation | Conditions générales d'utilisation
WorkStation[fusion] © theme by larme d'ange 2006
Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com