Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP
The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.
Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs
Some of the highlighted features in the document are:
Windows Server 2008:
- Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
- Enhanced performance monitoring with the addition of new performance counters
- Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
- Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
- Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
- More detailed server administration with restricted certificate managers
- Failover cluster support
Windows Server 2008 R2:
- Cross-forest enrollment capability that allows for consolidation of existing hardware
- Databaseless CA feature to avoid storing unnecessary certificate records
- Best Practice Analyzer for improved configuration practices
- Web-based certificate enrollment protocol to allow enrollment over the Internet
Categories: ADCS, certificate, Certification Authority, certifikat, Microsoft, Windows Server 2008, Windows Server 2008 R2 Tags: ADCS, Certificate, Microsoft IT, Windows Server 2008, Windows Server 2008 R2
Det går att implementera och migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2 på massor av olika sätt, några direkt skadliga, andra helt ok med diverse för- och nackdelar och självklart vissa riktigt bra och genomtänkta.
Utmaningar som att samexistera med XP under en period, uppgradera roller som
AD, DNS, DHCP, Clustering, att ändra kommunikationsprotokoll och införa
nya funktioner som Direct Access m.m. kräver en hel del av oss som jobbar med IT.
På Summiten får du den osminkade sanningen och tipsen som du inte finner
i manualerna om hur du inför den senaste tekniken på bästa sätt i din IT-miljö.
Mer information och agenda finns på http://infrastructuresummit.se/
Vi ses den 7:e oktober
/Hasain

The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.
Components
|
Web
|
Standard
|
Enterprise
|
Datacenter
|
CA
|
No
|
Yes
|
Yes
|
Yes
|
Network Device Enrollment
|
No
|
No
|
Yes
|
Yes
|
Online Responder
|
No
|
No
|
Yes
|
Yes
|
CA Web Enrollment
|
No
|
Yes
|
Yes
|
Yes
|
Certificate Enrollment WS
|
No
|
Yes
|
Yes
|
Yes
|
Certificate Enrollment Policy WS
|
No
|
Yes
|
Yes
|
Yes
|
The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.
AD CS features
|
Web
|
Standard
|
Enterprise
|
Datacenter
|
Customizable version 2 and 3 templates
|
No
|
Yes
|
Yes
|
Yes
|
Key archival
|
No
|
Yes
|
Yes
|
Yes
|
Role separation
|
No
|
No
|
Yes
|
Yes
|
Certificate manager restrictions
|
No
|
No
|
Yes
|
Yes
|
Delegated enrollment agent restrictions
|
No
|
No
|
Yes
|
Yes
|
Certificate enrollment across forests
|
No
|
No
|
Yes
|
Yes
|

What if you could add add group membership to a user's access token when the user is authenticated using a certificate-based logon method and making the policies included in the certificate to decide what groups should be added.
This is now possible using the Authentication mechanism assurance feature in Active Directory Domain Services (AD DS) in Windows Server 2008 R2. When enabling this feature a user's access to resources on the network when authenticated using certificate based logon can be treated as different from what that access would be when the user types a user name and password as the user's group membership is changed reflecting the authentication method used
This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.
The best part of this feature is that any client or server operating system that is able to interpret Windows access tokens can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.
/Hasain
