Experiment: Configure an Online Responder
Lab Environment:
LON-DC1 windows2012r2 172.16.0.10 Ad+ca
LON-SVR2 WINDOWS2012R2 172.16.0.24 Contact Responder Server
Experimental steps:
Log in to LON-SVR2 with the domain Administrator account and run the PowerShell command: Add-windowsfeature adcs-online-cert-includemanagementtools
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3A/wKiom1UCUTexKzFZAALgWD0PtuQ039.jpg "title=" QQ picture 20150313105228.jpg "alt=" Wkiom1ucutexkzfzaalgwd0ptuq039.jpg "/>
Once the installation is complete, we need to configure it and click "Configure Active Directory Certificate Services on target Server" from the Server Manager panel
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/3A/wKiom1UCUeGwnD6JAAPuJbmVohI457.jpg "title=" QQ picture 20150313105423.jpg "alt=" Wkiom1ucuegwnd6jaapujbmvohi457.jpg "/>
In the Setup wizard, use domain administrator credentials by default, click Next, select Online Responder
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/35/wKioL1UCVjDDbPKPAAOUYSyaksI976.jpg "title=" QQ picture 20150313110908.png "alt=" Wkiol1ucvjddbpkpaaouysyaksi976.jpg "/>
Then follow the wizard and click Next until the configuration is complete.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3B/wKiom1UCVWeAMbKDAANRNuf5oKs789.jpg "title=" QQ picture 20150313111035.png "alt=" Wkiom1ucvweambkdaanrnuf5oks789.jpg "/>
After you configure the Online Responder, log on LON-DC1 Open the Certification Authority console and open the Properties page for ADATUM-ISSUINGCA
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/36/wKioL1UCgLziNVgCAANk6FYk7_k628.jpg "title=" QQ picture 20150313141038.jpg "alt=" Wkiol1ucglzinvgcaank6fyk7_k628.jpg "/>
Switch to the Extensions tab, select "Authorize information to access AIA" and add a URL address http://LON-DC1/ocsp, then tick "include in the AIA extension of the issued certificate" and "included in an extension of the online Certificate status protocol OCSP"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3C/wKiom1UCgKXxD5MhAAQbVnD0FfI128.jpg "title=" QQ picture 20150313141503.jpg "alt=" Wkiom1ucgkxxd5mhaaqbvnd0ffi128.jpg "/>
Once setup is complete, you will be asked to restart Certificate Services, and we click "Yes"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3C/wKiom1UCgPOzaGk2AAQ0Zu0u52o728.jpg "title=" QQ picture 20150313141622.jpg "alt=" Wkiom1ucgpozagk2aaq0zu0u52o728.jpg "/>
When the reboot is complete, we right-click on the certificate template in the Certification Authority console and select "Manage"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/36/wKioL1UCgpCTtnn4AAI8seoCaR0464.jpg "title=" QQ picture 20150313141828.jpg "alt=" Wkiol1ucgpcttnn4aai8seocar0464.jpg "/>
Locate the OCSP response signature template, double-click to open it, assign the authenticated users in the Security tab to enroll permissions
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/3C/wKiom1UCgx7Qjm2IAAR0X3D2Y2g809.jpg "title=" QQ picture 20150313142536.jpg "alt=" Wkiom1ucgx7qjm2iaar0x3d2y2g809.jpg "/>
After the modification, we go back to the Certification Authority console, add the modified template to the Certificate template container, right click on "certificate Template", select New certificate template to issue
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/37/wKioL1UChMyzhOPtAAOG6odnslk180.jpg "title=" QQ picture 20150313142759.jpg "alt=" Wkiol1uchmyzhoptaaog6odnslk180.jpg "/>
Then add our modified OCSP Response signature template to the certificate template
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/37/wKioL1UChRbBIMzRAAN5TalCagA790.jpg "title=" QQ picture 20150313142912.jpg "alt=" Wkiol1uchrbbimzraan5talcaga790.jpg "/>
After you have done the above setup, we switch to LON-SVR2 and open the Online Responder Management console from Server Manager
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3C/wKiom1UChFuxccL6AAR2gRyCvko623.jpg "title=" QQ picture 20150313143055.jpg "alt=" Wkiom1uchfuxccl6aar2grycvko623.jpg "/>
Right-click on "Revocation Settings" in the console and select "Add Revocation Configuration"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/37/wKioL1UChfawW-XpAAJihGWyjss371.jpg "title=" QQ picture 20150313143257.jpg "alt=" Wkiol1uchfaww-xpaajihgwyjss371.jpg "/>
In the New Revocation Wizard, fill in the name of the revocation configuration "ADATUMCA Online Responder"
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/37/wKioL1UChrWC-baJAANSf5mPv9M057.jpg "title=" QQ picture 20150313143603.jpg "alt=" Wkiol1uchrwc-bajaansf5mpv9m057.jpg "/>
Go to step, select CA certificate location, because our experiment is AD domain environment, so we use the first option by default, directly click Next
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3C/wKiom1UChjCSJZHrAAO4huzbd0U167.jpg "title=" QQ picture 20150313143844.jpg "alt=" Wkiom1uchjcsjzhraao4huzbd0u167.jpg "/>
Select the CA certificate page, we click Browse, select CA certificate ADATUM-ISSUINGCA, and then click Next
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3C/wKiom1UChn2Cp4Q1AAPybATjoBQ068.jpg "title=" QQ picture 20150313144002.jpg "alt=" Wkiom1uchn2cp4q1aapybatjobq068.jpg "/>
Select the signing Certificate page, we keep the default settings, click Next
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/37/wKioL1UCiB7iZ1NzAAP9rae8pYU682.jpg "title=" QQ picture 20150313144158.jpg "alt=" Wkiol1ucib7iz1nzaap9rae8pyu682.jpg "/>
Then we can see that the wizard started setting up the revocation configuration
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/37/wKioL1UCiHWDzfZGAAOELPjsBOg188.jpg "title=" QQ picture 20150313144339.jpg "alt=" Wkiol1ucihwdzfzgaaoelpjsbog188.jpg "/>
After completing the wizard, in the right panel of the Online Responder Management console, we can see a textual description of the ADATUMCA Online Responder work, stating that our online Responder has been successfully set up.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3D/wKiom1UCiG_QZNGjAAPizoVmb08081.jpg "title=" QQ picture 20150313144819.jpg "alt=" Wkiom1ucig_qzngjaapizovmb08081.jpg "/>
This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1620091
Windows AD Certificate Services Family---Certificate publishing and Revocation (4)