Microsoft KB Archive/246572

From BetaArchive Wiki
Knowledge Base

Article ID: 246572

Article Last Modified on 10/30/2006


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q246572


A Web server that hosts the certification authority certificate enrollment Web pages must be configured for domain authentication, and the certificate request must include an attribute specifying the user certificate template. This article describes how to publish certificates to the Active Directory from a standalone certification authority.

back to the top

Server Configuration

After installing a standalone certification authority with Directory Services write access, you must perform the following steps to be able to publish certificates to the Directory Service:

  1. On the certification authority, run the following command:

    certutil -setreg exit\PublishCertFlags EXITPUB_ACTIVEDIRECTORY

  2. On the certification authority, use the Internet Services Manager MMC snap-in to configure the CertSrv Virtual Directory to require domain authentication.
    1. Right-click the CertSrv virtual directory, click Properties, and then click the Directory Security tab.
    2. On the Anonymous access and authentication control, click Edit.
    3. Click to clear the Anonymous access check box.
    4. Click to select the Basic Authentication and Integrated Windows authentication check box.

back to the top

Certificate Enrollment

Whenever a user wants to enroll for a certificate that should be published to Active Directory, the user must use the certification authority Advanced Certificate Requests feature to submit a request to the certification authority using a form. The user must also type CertificateTemplate:User in the Attributes control on the page under Additional Options prior to submitting the request.

back to the top

Keywords: kbhowto kbhowtomaster KB246572