Experimental Purpose: Configure Restricted enrollment Agent
Experimental environment: LON-DC1 WINDOWS2012R2 Ad+adcs 172.16.0.10
LON-CL1 Windows8 Client 172.16.0.100
Experimental steps:
Log in to LON-DC1, open the certification authority from Server Manager
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/62/wKioL1T88cmROFHPAANgbiycrxA739.jpg "title=" QQ picture 20150309085930.jpg "alt=" Wkiol1t88cmrofhpaangbiycrxa739.jpg "/>
Right click on certificate template, select Manage
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/66/wKiom1T88O7xuTi1AATLUz2G-Cw413.jpg "title=" QQ picture 20150309090027.jpg "alt=" Wkiom1t88o7xuti1aatluz2g-cw413.jpg "/>
Locate the Registration Agent template in the list of templates, double-click the properties to open it, open the Security tab, click Add, Join User1 and give read and Enroll permissions
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5A/62/wKioL1T881KwzSKSAAVd3zSrTug634.jpg "title=" QQ picture 20150309090607.jpg "alt=" Wkiol1t881kwzsksaavd3zsrtug634.jpg "/>
When you're done, go back to the certification authority, right-click the certificate template, select New certificate template to issue
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5A/66/wKiom1T885KQcUI6AATnhyIwKF4248.jpg "title=" QQ picture 20150309091156.jpg "alt=" Wkiom1t885kqcui6aatnhyiwkf4248.jpg "/>
Select the enrollment agent template and let it be added to the Certificate Templates container
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/66/wKiom1T88-GzDQimAATLofMZgcg579.jpg "title=" QQ picture 20150309091244.jpg "alt=" Wkiom1t88-gzdqimaatlofmzgcg579.jpg "/>
Next we use User1 to log in to the LON-CL1 computer, execute the mmc.exe command, open the console, and then add the Certificates snap-in
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/66/wKiom1T89d2zNs2RAAVLM885Msk185.jpg "title=" QQ picture 20150309092142.jpg "alt=" Wkiom1t89d2zns2raavlm885msk185.jpg "/>
In the Certificates snap-in, right-click the personal container, and then select All Tasks, request a new certificate
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/63/wKioL1T8-MGjmJa1AASGD0UJF7U040.jpg "title=" QQ picture 20150309092918.jpg "alt=" Wkiol1t8-mgjmja1aasgd0ujf7u040.jpg "/>
The next step in the wizard is done by default until the certificate page is requested, then select Register Agent, click Register, complete the configuration Wizard
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/67/wKiom1T8_HnwOfbjAAVAHVrO-hA374.jpg "title=" QQ picture 20150309094953.jpg "alt=" Wkiom1t8_hnwofbjaavahvro-ha374.jpg "/>
registration may encounter the revocation server offline error, the problem may be that the enterprise subordinate CA does not copy the CRLs and root certificate from the stand-alone root CA, we can manually add it to the enterprise subordinate CA by command, Certutil-addstore Root ADATUMROOTCA.CRL and Certutil-addstore root lon-svr1_adatumrootca.crt, to complete registration of the registration Agent certificate, we can see a personal container inside a certificate
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5A/66/wKioL1T9NRPgxadPAASBffoXiXM991.jpg "title=" QQ picture 20150309134641.jpg "alt=" Wkiol1t9nrpgxadpaasbffoxixm991.jpg "/>
After the client has finished requesting the certificate, switch to LON-DC1, open the properties for ADATUMROOTCA, select the Registration Agent tab
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5A/6A/wKiom1T9NK3CI0ZuAANnBRoEg6E612.jpg "title=" QQ picture 20150309134941.jpg "alt=" Wkiom1t9nk3ci0zuaannbroeg6e612.jpg "/>
We configure User1 to register User template certificates only for users within domains (users of Domain Users group), where we select restricted settings and refer to the configuration
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5A/66/wKioL1T9N3yRgTcNAAOng3GW4mo749.jpg "title=" QQ picture 20150309135430.jpg "alt=" Wkiol1t9n3yrgtcnaaong3gw4mo749.jpg "/>
This completes the experiment to register the agent configuration.
This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1618558
Windows AD Certificate Services Family---Certificate publishing and Revocation (2)