| Author | Messages | |
FreddyHARTONO
Posts:19
 | | 07/17/2007 6:41 AM |
| Hi guys
Anyone has extended their schema to support credentials
roaming on their environment yet? Seems rather cryptic that needs to get this
cmd file from pss and so on..
http://www.microsoft.com/technet/security/guidance/cryptographyetc/client-credential-roaming/how-to-configure-roaming.mspx
Any gotchas or things to look for apart from bloating your
dit with this certificate storage..? Thanks!
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Infrastructure Services Lead
International SOS Pte Ltd
mail/sip: freddy.hartono@internationalsos.com
phone: (+65) 6330-9785 | | | |
| dloder
Posts:134
| | 07/17/2007 9:18 AM |
| We've explicitly decided to skip the out-of-band
schema extension for credential roaming after
discovering the extension has conflicts with the
schema as defined in W2K8 (B2 and B3).
ms-PKI-RoamingTimeStamp.isSingleValued is false in the
out-of-band release, but true in the current W2K8 B3.
While our TAM assures us that MS will support either
value for that field in the schema extension, we
decided to wait for the official W2K8 schema to avoid
the chance of MS later coming back and changing their
mind and only supporting the W2K8 definition (since
99% of the population probably doesn't even know about
the out-of-band release, much less implemented it).
In the future, having to defunct one of the base W2K8
schema attributes and define a replacement attribute
just to be able to create a new test enviroment that
mirrors a production schema doesn't sound like a good
position to be in.
BTW, once you follow all the links, you can eventually
get to
http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true,
which includes the out-of-band schema definition. You
only really need PSS to get the XP hotfix, unless
you've got access to Premier and can pull it down
yourself.
--- Freddy HARTONO
wrote:
> Hi guys
>
>
>
> Anyone has extended their schema to support
> credentials roaming on their
> environment yet? Seems rather cryptic that needs to
> get this cmd file
> from pss and so on..
>
>
>
>
http://www.microsoft.com/technet/security/guidance/cryptographyetc/clien
> t-credential-roaming/how-to-configure-roaming.mspx
>
>
>
> Any gotchas or things to look for apart from
> bloating your dit with this
> certificate storage..? Thanks!
>
>
>
> Thank you and have a splendid day!
>
>
>
> Kind Regards,
>
>
>
> Freddy Hartono
>
> Group Infrastructure Services Lead
>
> International SOS Pte Ltd
>
> mail/sip: freddy.hartono@internationalsos.com
>
>
> phone: (+65) 6330-9785
>
>
>
>
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| FreddyHARTONO
Posts:19
| | 07/18/2007 9:20 AM |
| Hi David
Thanks for the info! Hm if it does causes schema conflicts - that's definitely something I'd like to avoid as I consider this as a good to have feature instead of a must have...
But if its conflicting as below, are you able to modify it yourself to the value of the 2008?
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Infrastructure Services Lead
International SOS Pte Ltd
mail/sip: freddy.hartono@internationalsos.com
phone: (+65) 6330-9785
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Tuesday, July 17, 2007 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slight OT] Credentials Roaming and schema extension
We've explicitly decided to skip the out-of-band
schema extension for credential roaming after
discovering the extension has conflicts with the
schema as defined in W2K8 (B2 and B3).
ms-PKI-RoamingTimeStamp.isSingleValued is false in the
out-of-band release, but true in the current W2K8 B3.
While our TAM assures us that MS will support either
value for that field in the schema extension, we
decided to wait for the official W2K8 schema to avoid
the chance of MS later coming back and changing their
mind and only supporting the W2K8 definition (since
99% of the population probably doesn't even know about
the out-of-band release, much less implemented it).
In the future, having to defunct one of the base W2K8
schema attributes and define a replacement attribute
just to be able to create a new test enviroment that
mirrors a production schema doesn't sound like a good
position to be in.
BTW, once you follow all the links, you can eventually
get to
http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true,
which includes the out-of-band schema definition. You
only really need PSS to get the XP hotfix, unless
you've got access to Premier and can pull it down
yourself.
--- Freddy HARTONO
wrote:
> Hi guys
>
>
>
> Anyone has extended their schema to support
> credentials roaming on their
> environment yet? Seems rather cryptic that needs to
> get this cmd file
> from pss and so on..
>
>
>
>
http://www.microsoft.com/technet/security/guidance/cryptographyetc/clien
> t-credential-roaming/how-to-configure-roaming.mspx
>
>
>
> Any gotchas or things to look for apart from
> bloating your dit with this
> certificate storage..? Thanks!
>
>
>
> Thank you and have a splendid day!
>
>
>
> Kind Regards,
>
>
>
> Freddy Hartono
>
> Group Infrastructure Services Lead
>
> International SOS Pte Ltd
>
> mail/sip: freddy.hartono@internationalsos.com
>
>
> phone: (+65) 6330-9785
>
>
>
>
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| dloder
Posts:134
| | 07/18/2007 11:16 AM |
| Of course you can define whatever values you want for
a schema definition. That just moves you into the
"unsupported" arena. We were told they wouldn't be
re-testing the out-of-band schema definition with the
W2K8 values, but that either definition would be
supported as-is.
Since isSingleValued can't be updated once it's in
place (attribute has to be defuncted and recreated),
we decided it was safer to wait for W2K8 RTM and roll
that schema, even though our PKI team is itching to
get credential roaming rolled out. I just hope RTM
still happens as expected around November, and doesn't
slip closer to the launch party in February.
--- Freddy HARTONO
wrote:
> Hi David
>
> Thanks for the info! Hm if it does causes schema
> conflicts - that's definitely something I'd like to
> avoid as I consider this as a good to have feature
> instead of a must have...
>
> But if its conflicting as below, are you able to
> modify it yourself to the value of the 2008?
>
>
> Thank you and have a splendid day!
>
> Kind Regards,
>
> Freddy Hartono
> Group Infrastructure Services Lead
> International SOS Pte Ltd
> mail/sip: freddy.hartono@internationalsos.com
> phone: (+65) 6330-9785
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On
> Behalf Of David Loder
> Sent: Tuesday, July 17, 2007 9:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] [Slight OT] Credentials
> Roaming and schema extension
>
> We've explicitly decided to skip the out-of-band
> schema extension for credential roaming after
> discovering the extension has conflicts with the
> schema as defined in W2K8 (B2 and B3).
> ms-PKI-RoamingTimeStamp.isSingleValued is false in
> the
> out-of-band release, but true in the current W2K8
> B3.
> While our TAM assures us that MS will support either
> value for that field in the schema extension, we
> decided to wait for the official W2K8 schema to
> avoid
> the chance of MS later coming back and changing
> their
> mind and only supporting the W2K8 definition (since
> 99% of the population probably doesn't even know
> about
> the out-of-band release, much less implemented it).
>
> In the future, having to defunct one of the base
> W2K8
> schema attributes and define a replacement attribute
> just to be able to create a new test enviroment that
> mirrors a production schema doesn't sound like a
> good
> position to be in.
>
> BTW, once you follow all the links, you can
> eventually
> get to
>
http://technet2.microsoft.com/WindowsServer/en/Library/2205530f-fa9a-4f2c-a0f0-5bea36dc57471033.mspx?mfr=true,
> which includes the out-of-band schema definition.
> You
> only really need PSS to get the XP hotfix, unless
> you've got access to Premier and can pull it down
> yourself.
>
>
>
> --- Freddy HARTONO
> wrote:
>
> > Hi guys
> >
> >
> >
> > Anyone has extended their schema to support
> > credentials roaming on their
> > environment yet? Seems rather cryptic that needs
> to
> > get this cmd file
> > from pss and so on..
> >
> >
> >
> >
>
http://www.microsoft.com/technet/security/guidance/cryptographyetc/clien
> > t-credential-roaming/how-to-configure-roaming.mspx
> >
> >
> >
> > Any gotchas or things to look for apart from
> > bloating your dit with this
> > certificate storage..? Thanks!
> >
> >
> >
> > Thank you and have a splendid day!
> >
> >
> >
> > Kind Regards,
> >
> >
> >
> > Freddy Hartono
> >
> > Group Infrastructure Services Lead
> >
> > International SOS Pte Ltd
> >
> > mail/sip: freddy.hartono@internationalsos.com
> >
> >
> > phone: (+65) 6330-9785
> >
> >
> >
> >
>
>
>
>
>
____________________________________________________________________________________
> Sick sense of humor? Visit Yahoo! TV's
> Comedy with an Edge to see what's on, when.
> http://tv.yahoo.com/collections/222
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ma/default.aspx
>
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games.
http://sims.yahoo.com/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|