Having Problems Deploying the Certificates for Native Mode with a Windows Server 2008 CA?

  • Article

A number of customers have been having problems deploying the native mode certificates with Active Directory Certificate Services in Windows Server 2008, not least because the Web enrollment pages no longer allow you to request a certificate for the local computer store. The same issue applies if you’ve installed KB 922706 on a Windows Server 2003 CA, in order to update the Web enrollment pages for Windows Vista clients and Windows Server 2008 clients.

I’ve also recently heard from the forums that the new Windows Server 2008 v3 certificate templates seem to cause problems with native mode, and I’ve reproduced this myself. For example, if you deploy a site server signing certificate with a v3 template, the validation for the certificate succeeds on the Site Mode tab, but SMS_POLICY_PROVIDER returns error status message 5115 when it tries to sign the policies instead of the success status message 5116. I also haven’t had any success with v3 templates for site systems running on Windows Server 2008, or clients running Vista or Windows Server 2008.

I’ve flagged the v3 certificate template issue for the product group to look into, but in the meantime I’ve been running multiple test migrations for native mode, using certificates deployed with Windows Server 2008 Active Directory Certificate Services and an enterprise CA with templates. I think I’ve now got a reliable, repeated procedure by using Certreq to request the site server signing certificate, and always choosing the default selection of “Windows 2003 Server, Enterprise Edition “ when duplicating the templates. I can’t honestly say that I’m a fan of using the command-line utiliy Certreq, but I’ve made my peace with it by opting for the simplest possible usage.

Update July 8th 2008: It has now been confirmed by the product group that Configuration Manager does not support certificates that are created with the new version 3 templates that are provided with Windows Server 2008. Certificates that are created with these templates use CNG crypto service providers, which are not supported by the product (and are not compatible with Windows XP and Windows Server 2003). This means that if you are creating certificates for native mode or out of band management, and you are using certificate templates with a Windows Server 2008 CA, use version 2 or version 1 templates. The product documentation will be updated with this information for R2.

I was going to write up the instructions in the blog, but actually found it easier to modify the existing step-by-step. This new version assumes that the site server is on a member server running Windows Server 2008, but the steps are close enough to follow if the site server is on Windows Server 2003, or if the CA is running Windows Server 2003 with KB 922706. Most differences are simply down to minor UI navigation differences between the two operating systems – for example, how to load the Certificates snap-in is slightly different on the later operating system platforms, and the steps to install the Web server certificate is for IIS7 rather than IIS6 (the latter is covered in the original step-by-step topic).

The client in the new step-by-step is Windows Vista, but I’ve also confirmed that it works on Windows XP, and servers running Windows Server 2003 or Windows Server 2008. I switched from using the Computer certificate template to the Workstation Authentication certificate template (this has just client authentication capability instead of client authentication and server authentication), and used autoenrollment with Group Policy rather than Automatic Certificate Setup Request method with Group Policy. This is the preferred deployment method for XP clients and later. It also uses a SAN extension with the DNS name. If you want to use the same client certificate for applications other than Configuration Manager, and they do not support the use of the SAN extension, you will have to modify the template to create a Subject name instead.

I won’t be able to publish this new topic until R2 releases, so if you would like a draft version to help you deploy the native mode certificates using Windows Server 2008 Active Directory Certificate Services (and also help me to test drive the instructions), send me an email via SMSDocs@Microsoft.com.

 

Update September 3rd 2008: The step-by-step instructions for a Windows Server 2008 CA are now published online: https://technet.microsoft.com/en-us/library/cc872789.aspx. Thank you to everybody who requested the draft version and followed up with me to confirm that the instructions worked! The documentation is also updated with information that the v3 certificate templates are not compatible with Configuration Manager, and the instructions for deploying the Web server certificate have been updated for IIS 7.0.

- Carol

This posting is provided AS IS with no warranties and confers no rights.