XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s.
This can also be turned on in W2k8+ but defaults to off there.

When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants (http://msdn.microsoft.com/library/aa373553.aspx).

On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 CA, this enhanced security setting is enabled by default.

What value does this change add?

The  CA enforces enhanced security in the requests that are sent to it. This  higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read.

Without this setting enabled, anyone with access to the network can read packets sent to and from the CA using a network analyzer. This means that information could be exposed that might be considered a privacy violation, such as the names of requesting users or machines, the types of certificates for which they are enrolling, the public keys involved, and so on. Within a forest or domain, leaking these data may not be a concern for most organizations. However, if attackers gain access to the network traffic, internal company structure and activity could be gleaned, which could be used for more targeted social engineering or phishing attacks.

The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server®  2003, Windows Server®  2003 R2, Windows Server®  2008, or Windows Server 2008 R2 certification authorities are:

certutil -setreg CAInterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
Restart the certification authority
net stop certsvc
net start certsvc

If you still have Windows XP client computers that need to request certificates from a CA that has the setting enabled, you have two options:

  1. Upgrade the Windows XP clients to a newer operating system.
  2. Lower the security of the CA by running the following commands:

    To lower CA security for compatibility with Windows XP clients 
    1. certutil -setreg CAInterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST

    2. net stop certsvc

    3. net start certsvc

What works differently?

Windows XP clients will not be compatible with this higher security setting enabled by default on a Windows Server 2012 CA. If necessary, you can lower the security setting as previously described.


Further details:

Authentication-Level Constants


Comments (1)

  1. Nice and informative. Thanks