Hello,

I've got an interesting scenario that I'd appreciate any feedback on .

Two Forests: 1 Windows 2000 (Corporate) , 1 Windows 2003 (Ecommerce)

Required: Client Certificate Authentication of an IIS 5 Server in the
Windows 2000 Forest to an IIS 6 Server in the Windows 2003 Forest.

The current intention is to create an Offline RootCA, publish this to the
Windows 2000 AD. An Windows 2000 Enterprise Subordinate in this forest would
then be comissioned for computer certs.

To meet the above approach I was considering inserting multiple LDAP CDP's
in the RootCA cert and also the subordinate cert.

We could then publish these to the Windows 2003 AD as well as the CRL's, as
required.

Thoughts or other approaches to the cross-forest conundrum?

Thanks,

Benkman.

In article <53D2717E-102F-48C2-B8CE-(E-Mail Removed)>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?QmVua21hbg==?=
<(E-Mail Removed)> says...

> Hello,
>
> I've got an interesting scenario that I'd appreciate any feedback on .
>
> Two Forests: 1 Windows 2000 (Corporate) , 1 Windows 2003 (Ecommerce)

Is there any trust relationship between the two forests?

>
> Required: Client Certificate Authentication of an IIS 5 Server in the
> Windows 2000 Forest to an IIS 6 Server in the Windows 2003 Forest.
>
> The current intention is to create an Offline RootCA, publish this to the
> Windows 2000 AD. An Windows 2000 Enterprise Subordinate in this forest would
> then be comissioned for computer certs.

Not the way I'd go with this. I'd skip Windows 2000 as a CA and go right
to Windows Server 2003. If for some reason you can't deploy the subCA to
the Windows Server 2003 forest, you can still install a Windows Server
2003 CA to the Windows 2000 forest as long as you apply the Windows
Server 2003 schema updates to the Windows 2000 forest. For the offline
root, I'd go with Standard Edition, for the enterprise sub, I'd go with
Enterprise edition. You may not need all of the features that using
Enteprise allows you to take advantage of now, but it will be much
easier to expand your PKI if you start with Enterprise as your subCA.
>
> To meet the above approach I was considering inserting multiple LDAP CDP's
> in the RootCA cert and also the subordinate cert.

Why? In the first place, you shouldn't have CDPs in the root cert at
all. The root CA cert is self-signed, so logically, it can't really be
trusted to revoke itself. The majority of applications out there won't
even check the revocation status of the root cert. You should also think
hard about using LDAP URLs as the default CPD and AIA locations. I know
that you're starting off with just server and client auth certs for
Microsoft clients, however, if you decide to expand your PKI, you may
find that you've got applications/devices that won't be able to retrieve
this information from an LDAP URL, you maybe better off using an HTTP
URL first, followed by one or more LDAP URLs. Also, you need to think
about the permissions required to publish a CRL from one forest to
another.

>
> We could then publish these to the Windows 2003 AD as well as the CRL's, as
> required.

As above.


> Thoughts or other approaches to the cross-forest conundrum?

The other issue you're going to run into here with the cross-forest
design is enrollment. You need to make sure that you've got permissions
set correctly to allow the web server to enroll from one forest to the
other.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi Paul,

> Is there any trust relationship between the two forests?
There no trust relationship between the forests and no intention to create
one at this stage. This is mainly due to a desire not to expose the Ecommerce
Forest to the Corporate forest and vice-versa.

<Not the way I'd go with this. I'd skip Windows 2000 as a CA and go right
> to Windows Server 2003. If for some reason you can't deploy the subCA to
> the Windows Server 2003 forest, you can still install a Windows Server
> 2003 CA to the Windows 2000 forest as long as you apply the Windows
> Server 2003 schema updates to the Windows 2000 forest. For the offline
> root, I'd go with Standard Edition, for the enterprise sub, I'd go with
> Enterprise edition. You may not need all of the features that using
> Enteprise allows you to take advantage of now, but it will be much
> easier to expand your PKI if you start with Enterprise as your subCA.

I take your points on the RootCA. We are yet to do the schema update our W2K
forest as we have a very large and distributed network and there are concerns
over the impact to that. It will happen but not in the immediate future. We
are also yet to finalise our W2K3 build, GPO's. management, etc in the
corporate forest which has been a limiting factor to implementing W2K3. Again
it will happen.

As the subordinate will be an Enterprise CA are you saying it will be easier
to expand our PKI if it's W2K3? Without the schema updates and new templates
what is the real value here?

> Why? In the first place, you shouldn't have CDPs in the root cert at
> all. The root CA cert is self-signed, so logically, it can't really be
> trusted to revoke itself. The majority of applications out there won't
> even check the revocation status of the root cert. You should also think
> hard about using LDAP URLs as the default CPD and AIA locations. I know
> that you're starting off with just server and client auth certs for
> Microsoft clients, however, if you decide to expand your PKI, you may
> find that you've got applications/devices that won't be able to retrieve
> this information from an LDAP URL, you maybe better off using an HTTP
> URL first, followed by one or more LDAP URLs. Also, you need to think
> about the permissions required to publish a CRL from one forest to
> another.

Point taken on the Root CDP. LDAP URLs & HTTP URLs are intended to be used.
LDAP first (all clients have a local DC/GC) then HTTP. Is that not the best
approach in this situation? I hear you on the enrollment permissions and CRL
updates but without that trust both will be necessarily manual won't they? I
guess I'm trying to find a way to be pragmatic in these constraints.

What other choices do I have other than providing the Root cert, subordinate
CA certificate and CRL from the Corporate CA in Ecommerce forest?

Kind Regards,

Benkman.





"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <53D2717E-102F-48C2-B8CE-(E-Mail Removed)>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?QmVua21hbg==?=
> <(E-Mail Removed)> says...
>
> > Hello,
> >
> > I've got an interesting scenario that I'd appreciate any feedback on .
> >
> > Two Forests: 1 Windows 2000 (Corporate) , 1 Windows 2003 (Ecommerce)
>
> Is there any trust relationship between the two forests?
>
> >
> > Required: Client Certificate Authentication of an IIS 5 Server in the
> > Windows 2000 Forest to an IIS 6 Server in the Windows 2003 Forest.
> >
> > The current intention is to create an Offline RootCA, publish this to the
> > Windows 2000 AD. An Windows 2000 Enterprise Subordinate in this forest would
> > then be comissioned for computer certs.
>
> Not the way I'd go with this. I'd skip Windows 2000 as a CA and go right
> to Windows Server 2003. If for some reason you can't deploy the subCA to
> the Windows Server 2003 forest, you can still install a Windows Server
> 2003 CA to the Windows 2000 forest as long as you apply the Windows
> Server 2003 schema updates to the Windows 2000 forest. For the offline
> root, I'd go with Standard Edition, for the enterprise sub, I'd go with
> Enterprise edition. You may not need all of the features that using
> Enteprise allows you to take advantage of now, but it will be much
> easier to expand your PKI if you start with Enterprise as your subCA.
> >
> > To meet the above approach I was considering inserting multiple LDAP CDP's
> > in the RootCA cert and also the subordinate cert.
>
> Why? In the first place, you shouldn't have CDPs in the root cert at
> all. The root CA cert is self-signed, so logically, it can't really be
> trusted to revoke itself. The majority of applications out there won't
> even check the revocation status of the root cert. You should also think
> hard about using LDAP URLs as the default CPD and AIA locations. I know
> that you're starting off with just server and client auth certs for
> Microsoft clients, however, if you decide to expand your PKI, you may
> find that you've got applications/devices that won't be able to retrieve
> this information from an LDAP URL, you maybe better off using an HTTP
> URL first, followed by one or more LDAP URLs. Also, you need to think
> about the permissions required to publish a CRL from one forest to
> another.
>
> >
> > We could then publish these to the Windows 2003 AD as well as the CRL's, as
> > required.
>
> As above.
>
>
> > Thoughts or other approaches to the cross-forest conundrum?
>
> The other issue you're going to run into here with the cross-forest
> design is enrollment. You need to make sure that you've got permissions
> set correctly to allow the web server to enroll from one forest to the
> other.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>