In news:26831B08-0397-44DF-B30D-(E-Mail Removed),
Chris Shaw <(E-Mail Removed)> stated, which I commented
on below:
> If you have two issuing CAs under the same root CA, will a client
> with a certificate issued from one CA be valid for use in connecting
> via L2TP to an RRAS server with a certificate from the other CA? If
> so, is there a way to prevent this?
>
> Thanks in advance.
Yes they will be honored, and as far as I can see, no, because of the common
trusted CA Root.
You can possibly use autoenrollment and make multiple certs for specific
users that you can control when you create a certificate template and apply
permissions based on groups on who is allowed to use the cert, along with
RRAS/RADIUS permissions.
Here are some links that may help to understand how to implement this. Keep
in mind, for autoenrollment certs, the issuing CA (not necessarily the CA
Root), must be at least Enterprise Edition.
Certificate Autoenrollment in Windows Server 2003:
http://www.microsoft.com/technet/pro.../autoenro.mspx
Selecting Certificate Templates Public Key (need enterprise to make
autoenrollment work):
http://www.microsoft.com/technet/pro...0d0ef4e9a.mspx
Configure a certificate template for client autoenrollment:
http://technet2.microsoft.com/Window...00a8e1033.mspx
Problems Installing Certificate Services After You Apply the Q323172 Patch:
http://support.microsoft.com/default...b;en-us;328595
Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/its...tSevcOG_2.mspx
The Secure Access Using Smart Cards Planning Guide - Chapter 3 - Using Smart
Cards to Help Secure Administrator Accounts:
http://www.microsoft.com/technet/sec.../scpgch03.mspx
If you like, post this question to the microsoft.public.security.crypto
newsgroup.
Those guys do it everyday there and I'm sure you'll get better help.
--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
Similar Threads
Linear Mode
