| Author | Messages | |
favvojohan
Posts:21
 | | 07/05/2010 1:53 PM |
| Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe  . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| favvojohan
Posts:21
| | 07/12/2010 11:13 PM |
| No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| chriss3
Posts:19
| | 07/13/2010 9:55 AM |
| 1. In the template, choose the CSP that the smart card uses and it will generate the key pair.
2. If you’re using/have auto enrollment for the particular template, the request will first be sent to the CA for approval, once approved, end user has to confirm enrollment with PIN.
3. Only the public key will be stored in ADDS (Even if you use key archiving the private key doesn’t goes into AD DS but rather AD CS own DB) also note that if the keys are generated on the SC key archiving isn’t possible) So if that SC is failing for some reason you’re toasted, so I recommend to have at least two DRAs at two different SCs. (There is a few exceptions to this, if you use CLM for example that generates the keys outside of the SC and the inserts the keys on the SC).
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 00:12
To: activedir@mail.activedir.org
Cc: hassain.alshakarti@truesec.com
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| favvojohan
Posts:21
| | 07/13/2010 10:16 PM |
| Hi Christoffer,
Thank you for answering!
Btw, hope you like your new job 
1. Ok I thought I did that, but let be double-check it! Could the recovery-agent template require another CSP?
2. Well that’s the problem. If I make the enrollment and the request is put in Pending, when I approve it, the cert will end up in issued certificates. Then I could move it manually (if I have to), but then what? Can I use certutil to import it into the smartcard?
3. > …two DRAs at two different SCs.
That’s a good point!! Thanks!
>Only the public key will be stored in ADDS
Ok, so that means that it actually could be a good idea to store the keys for the RA in the ADDS on a specific Recovery User?!
/Johan Peterson
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 13 juli 2010 10:54
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
1. In the template, choose the CSP that the smart card uses and it will generate the key pair.
2. If you’re using/have auto enrollment for the particular template, the request will first be sent to the CA for approval, once approved, end user has to confirm enrollment with PIN.
3. Only the public key will be stored in ADDS (Even if you use key archiving the private key doesn’t goes into AD DS but rather AD CS own DB) also note that if the keys are generated on the SC key archiving isn’t possible) So if that SC is failing for some reason you’re toasted, so I recommend to have at least two DRAs at two different SCs. (There is a few exceptions to this, if you use CLM for example that generates the keys outside of the SC and the inserts the keys on the SC).
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 00:12
To: activedir@mail.activedir.org
Cc: hassain.alshakarti@truesec.com
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| chriss3
Posts:19
| | 07/14/2010 7:52 AM |
| Np,
Yes Thanks, I like my new job a lot ☺
1. Nope
2. No if you’re using autoenrollment you don’t have to do that, once you have approved the request it’s available for auto enrollment and will be available for the user (User is notified with a balloon dialog in the systray) to complete the enrollment to the SC (The user has to do this before the request expires, default is set to one year I if I recall correctly) – Make sure you specific “Prompt user during enrollment” in your template.
3. It depends on if you’re using Credential Roaming then there is no need for store the public key in the AD DS for DRAs as far I know, the benefit otherwise is that if you logon to a machine not using the SC, autoenrollement is going to ask you to enroll that very same certificate template to the SC again, You can prevent this by store the public key in the AD DS and enable "Do not enroll if duplicate exists in Active Directory", but again if you’re using Credential Roaming you already have this benefit and you can save some space in the AD DS NTDS.dit by not enable both options ☺ also if you’re always going to logon with SC for your DRA Users it probably also doesn’t matter.
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 23:15
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi Christoffer,
Thank you for answering!
Btw, hope you like your new job
1. Ok I thought I did that, but let be double-check it! Could the recovery-agent template require another CSP?
2. Well that’s the problem. If I make the enrollment and the request is put in Pending, when I approve it, the cert will end up in issued certificates. Then I could move it manually (if I have to), but then what? Can I use certutil to import it into the smartcard?
3. > …two DRAs at two different SCs.
That’s a good point!! Thanks!
>Only the public key will be stored in ADDS
Ok, so that means that it actually could be a good idea to store the keys for the RA in the ADDS on a specific Recovery User?!
/Johan Peterson
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 13 juli 2010 10:54
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
1. In the template, choose the CSP that the smart card uses and it will generate the key pair.
2. If you’re using/have auto enrollment for the particular template, the request will first be sent to the CA for approval, once approved, end user has to confirm enrollment with PIN.
3. Only the public key will be stored in ADDS (Even if you use key archiving the private key doesn’t goes into AD DS but rather AD CS own DB) also note that if the keys are generated on the SC key archiving isn’t possible) So if that SC is failing for some reason you’re toasted, so I recommend to have at least two DRAs at two different SCs. (There is a few exceptions to this, if you use CLM for example that generates the keys outside of the SC and the inserts the keys on the SC).
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 00:12
To: activedir@mail.activedir.org
Cc: hassain.alshakarti@truesec.com
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| favvojohan
Posts:21
| | 07/14/2010 8:47 AM |
| Hi,
1. I looked at it this morning and the reason I didn’t see MS Base Smart Card Crypto Provider was that I missed selecting “Prompt user during enrollment”… 
2. Because of this being a template for a top recovery agent it will only be used manually, no autoenrollment. To have it as secure as possible (I’m creating one template for EFS-, Bitlocker- and Key Recovery Agent) I wanted to see if I could check the CA certificate manager approval, therefore my question. But maybe it’s better to keep it simple and use the three different templates and create one cert per agent…
3. Ok. In this case the DRA User will only logon with SC but I’ll keep it in mind for other use…
Thanks
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 14 juli 2010 08:51
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Np,
Yes Thanks, I like my new job a lot ☺
1. Nope
2. No if you’re using autoenrollment you don’t have to do that, once you have approved the request it’s available for auto enrollment and will be available for the user (User is notified with a balloon dialog in the systray) to complete the enrollment to the SC (The user has to do this before the request expires, default is set to one year I if I recall correctly) – Make sure you specific “Prompt user during enrollment” in your template.
3. It depends on if you’re using Credential Roaming then there is no need for store the public key in the AD DS for DRAs as far I know, the benefit otherwise is that if you logon to a machine not using the SC, autoenrollement is going to ask you to enroll that very same certificate template to the SC again, You can prevent this by store the public key in the AD DS and enable "Do not enroll if duplicate exists in Active Directory", but again if you’re using Credential Roaming you already have this benefit and you can save some space in the AD DS NTDS.dit by not enable both options ☺ also if you’re always going to logon with SC for your DRA Users it probably also doesn’t matter.
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 23:15
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi Christoffer,
Thank you for answering!
Btw, hope you like your new job
1. Ok I thought I did that, but let be double-check it! Could the recovery-agent template require another CSP?
2. Well that’s the problem. If I make the enrollment and the request is put in Pending, when I approve it, the cert will end up in issued certificates. Then I could move it manually (if I have to), but then what? Can I use certutil to import it into the smartcard?
3. > …two DRAs at two different SCs.
That’s a good point!! Thanks!
>Only the public key will be stored in ADDS
Ok, so that means that it actually could be a good idea to store the keys for the RA in the ADDS on a specific Recovery User?!
/Johan Peterson
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 13 juli 2010 10:54
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
1. In the template, choose the CSP that the smart card uses and it will generate the key pair.
2. If you’re using/have auto enrollment for the particular template, the request will first be sent to the CA for approval, once approved, end user has to confirm enrollment with PIN.
3. Only the public key will be stored in ADDS (Even if you use key archiving the private key doesn’t goes into AD DS but rather AD CS own DB) also note that if the keys are generated on the SC key archiving isn’t possible) So if that SC is failing for some reason you’re toasted, so I recommend to have at least two DRAs at two different SCs. (There is a few exceptions to this, if you use CLM for example that generates the keys outside of the SC and the inserts the keys on the SC).
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 00:12
To: activedir@mail.activedir.org
Cc: hassain.alshakarti@truesec.com
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| chriss3
Posts:19
| | 07/14/2010 9:06 AM |
| 2. It’s available for manual enrollment as well (the end user, in this case the DA has to do this manually) if you don’t are up for playing with “enroll on behalf” with restricted enrollment agents. However keep in mind that autoenrollment has some benefits when it comes to certificate renewal
/C
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 14 juli 2010 09:47
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
1. I looked at it this morning and the reason I didn’t see MS Base Smart Card Crypto Provider was that I missed selecting “Prompt user during enrollment”…
2. Because of this being a template for a top recovery agent it will only be used manually, no autoenrollment. To have it as secure as possible (I’m creating one template for EFS-, Bitlocker- and Key Recovery Agent) I wanted to see if I could check the CA certificate manager approval, therefore my question. But maybe it’s better to keep it simple and use the three different templates and create one cert per agent…
3. Ok. In this case the DRA User will only logon with SC but I’ll keep it in mind for other use…
Thanks
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 14 juli 2010 08:51
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Np,
Yes Thanks, I like my new job a lot ☺
1. Nope
2. No if you’re using autoenrollment you don’t have to do that, once you have approved the request it’s available for auto enrollment and will be available for the user (User is notified with a balloon dialog in the systray) to complete the enrollment to the SC (The user has to do this before the request expires, default is set to one year I if I recall correctly) – Make sure you specific “Prompt user during enrollment” in your template.
3. It depends on if you’re using Credential Roaming then there is no need for store the public key in the AD DS for DRAs as far I know, the benefit otherwise is that if you logon to a machine not using the SC, autoenrollement is going to ask you to enroll that very same certificate template to the SC again, You can prevent this by store the public key in the AD DS and enable "Do not enroll if duplicate exists in Active Directory", but again if you’re using Credential Roaming you already have this benefit and you can save some space in the AD DS NTDS.dit by not enable both options ☺ also if you’re always going to logon with SC for your DRA Users it probably also doesn’t matter.
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 23:15
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi Christoffer,
Thank you for answering!
Btw, hope you like your new job
1. Ok I thought I did that, but let be double-check it! Could the recovery-agent template require another CSP?
2. Well that’s the problem. If I make the enrollment and the request is put in Pending, when I approve it, the cert will end up in issued certificates. Then I could move it manually (if I have to), but then what? Can I use certutil to import it into the smartcard?
3. > …two DRAs at two different SCs.
That’s a good point!! Thanks!
>Only the public key will be stored in ADDS
Ok, so that means that it actually could be a good idea to store the keys for the RA in the ADDS on a specific Recovery User?!
/Johan Peterson
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 13 juli 2010 10:54
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
1. In the template, choose the CSP that the smart card uses and it will generate the key pair.
2. If you’re using/have auto enrollment for the particular template, the request will first be sent to the CA for approval, once approved, end user has to confirm enrollment with PIN.
3. Only the public key will be stored in ADDS (Even if you use key archiving the private key doesn’t goes into AD DS but rather AD CS own DB) also note that if the keys are generated on the SC key archiving isn’t possible) So if that SC is failing for some reason you’re toasted, so I recommend to have at least two DRAs at two different SCs. (There is a few exceptions to this, if you use CLM for example that generates the keys outside of the SC and the inserts the keys on the SC).
Enfo Zipper
Christoffer Andersson – Principal Advisor
Microsoft MVP – Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 13 juli 2010 00:12
To: activedir@mail.activedir.org
Cc: hassain.alshakarti@truesec.com
Subject: RE: [ActiveDir] Recovery Agent Certificate on Smartcard...
No one?
Please ask me if I’m unclear at any point…
Thanks!
/Johan
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Recovery Agent Certificate on Smartcard...
Hi,
My goal is to create a global Recovery Agent for EFS and Bitlocker (as to be used as last way out). I want to store the Recovery Agent Certificate on a Smartcard and point that certificate out in a GPO high up in the structure. The SmartCard should then be locked into a safe . I have three questions:
1. How can I make the Template understand that the SmartCard should generate the keys?
2. If I select Manager Approval, how can I then fetch the Issued certificate?
3. If I check Publich certificate in Activer Directory, will this be a security problem or is it only the public key that are stored? If it is the public part only then I don’t need the SmartCard when pointing out the certificates as Recovery Agents…
Thank you in advance!
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
|
|