Article ID: 246572
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q246572
SUMMARY
A Web server that hosts the certification authority certificate enrollment Web pages must be configured for domain authentication, and the certificate request must include an attribute specifying the user certificate template. This article describes how to publish certificates to the Active Directory from a standalone certification authority.
back to the top
Server Configuration
After installing a standalone certification authority with Directory Services write access, you must perform the following steps to be able to publish certificates to the Directory Service:
- On the certification authority, run the following command:
certutil -setreg exit\PublishCertFlags EXITPUB_ACTIVEDIRECTORY
- On the certification authority, use the Internet Services Manager MMC snap-in to configure the CertSrv Virtual Directory to require domain authentication.
- Right-click the CertSrv virtual directory, click Properties, and then click the Directory Security tab.
- On the Anonymous access and authentication control, click Edit.
- Click to clear the Anonymous access check box.
- Click to select the Basic Authentication and Integrated Windows authentication check box.
Certificate Enrollment
Whenever a user wants to enroll for a certificate that should be published to Active Directory, the user must use the certification authority Advanced Certificate Requests feature to submit a request to the certification authority using a form. The user must also type CertificateTemplate:User in the Attributes control on the page under Additional Options prior to submitting the request.
back to the top
Keywords: kbhowto kbhowtomaster KB246572
