Certificate Web Enrollment


M

Max

We are designing a Windows 2003 PKI. We are trying to decide whether
to place certificate web enrollment on the web farm or on dedicated
servers.

The only thing currently holding us back from hosting web enrollment
from our web farm is that we will have to trust all the web farm
servers for delegation. Currently, all web farm servers have the
"Trust computer for delegation" unchecked. What security issues arise
once the computer is delegated? I have been unable to find details on
this.

Convincing the web area to allow this to be checked when right next to
the check box for this setting there is an exclamation sign and a
statement saying "This security-sensitive option..." will require an
explanation of why this is a security-sensitive option and whether
there is some risk involved. Could anyone provide some insight into
what possible vulnerabilities delegating a computer for delegation
opens up?

Does anyone have any other reasons why/why not to host web enrollment
from our web farm rather than dedicated servers.

Thanks,
Max
 
Ad

Advertisements

D

Drew Cooper [MSFT]

"Trusted for delegation" means that users can be impersonated unless their
accounts specifically deny it. If you're considering using delegation on
2003, definitely check out constrained delegation instead of the old-style
full delegation. There are docs under here that should explain delegation,
its risks, and constrained delegation in Server 2003:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dsscc_aut_vwcs.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top