Меню Рубрики

Microsoft windows certificateservicesclient autoenrollment

Настройка автоматической регистрации сертификатов Configure certificate auto-enrollment

Применяется к: Windows Server (Semi-Annual Channel), Windows Server 2016 Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

Перед выполнением этой процедуры необходимо настроить шаблон сертификата сервера с помощью оснастки “Шаблоны сертификатов” консоли управления (MMC) в центре сертификации, где выполняется AD CS. Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS. Членство в группах “Администраторы предприятия ” и “Администраторы домена корневого домена” является минимальным требованием для выполнения этой процедуры. Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure.

Настройка автоматической регистрации сертификата сервера Configure server certificate auto-enrollment

На компьютере, где установлен AD DS, откройте Windows PowerShell ® , введите MMCи нажмите клавишу ВВОД. On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. Откроется консоль управления (MMC). The Microsoft Management Console opens.

В меню Файл выберите Добавить или удалить оснастку. On the File menu, click Add/Remove Snap-in. Откроется диалоговое окно Добавление или удаление оснасток . The Add or Remove Snap-ins dialog box opens.

В окне Доступные оснасткипрокрутите вниз до и дважды щелкните редактор “Управление групповыми политиками”. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. Откроется диалоговое окно Выбор объекта Групповая политика . The Select Group Policy Object dialog box opens.

Убедитесь, что выбраны редактор “Управление групповыми политиками” и не Групповая политика управления. Ensure that you select Group Policy Management Editor and not Group Policy Management. Если выбрать Групповая политика управления, конфигурация с использованием этих инструкций завершится ошибкой, а сертификат сервера не будет автоматически зарегистрирован в НПСС. If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPSs.

В Групповая политика объектнажмите кнопку Обзор. In Group Policy Object, click Browse. Откроется диалоговое окно ” Поиск объекта Групповая политика “. The Browse for a Group Policy Object dialog box opens.

В области домены, подразделения и связанные групповая политика объекты выберите Политика домена по умолчанию, а затем нажмите кнопку ОК. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.

Нажмите кнопку Готово, а затем — кнопку ОК. Click Finish, and then click OK.

Дважды щелкните Политика домена по умолчанию. Double-click Default Domain Policy. В консоли разверните следующий путь: Конфигурация компьютера, политики, Параметры Windows, Параметры безопасностии политики открытого ключа. In the console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, and then Public Key Policies.

Щелкните политики открытого ключа. Click Public Key Policies. На панели подробностей дважды щелкните параметр Клиент службы сертификации: автоматическая регистрация. In the details pane, double-click Certificate Services Client – Auto-Enrollment. Откроется диалоговое окно Свойства . The Properties dialog box opens. Настройте следующие элементы и нажмите кнопку ОК. Configure the following items, and then click OK:

  1. В окне Модель конфигурации выберите параметр Включено. In Configuration Model, select Enabled.
  2. Установите флажок обновлять сертификаты с истекшим сроком действия, обновить отложенные сертификаты и удалить отозванные сертификаты . Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
  3. Установите флажок Обновлять сертификаты, использующие шаблоны сертификатов. Select the Update certificates that use certificate templates check box.

Нажмите кнопку ОК. Click OK.

Настройка автоматической регистрации сертификата пользователя Configure user certificate auto-enrollment

На компьютере, где установлен AD DS, откройте Windows PowerShell ® , введите MMCи нажмите клавишу ВВОД. On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. Откроется консоль управления (MMC). The Microsoft Management Console opens.

В меню Файл выберите Добавить или удалить оснастку. On the File menu, click Add/Remove Snap-in. Откроется диалоговое окно Добавление или удаление оснасток . The Add or Remove Snap-ins dialog box opens.

В окне Доступные оснасткипрокрутите вниз до и дважды щелкните редактор “Управление групповыми политиками”. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. Откроется диалоговое окно Выбор объекта Групповая политика . The Select Group Policy Object dialog box opens.

Убедитесь, что выбраны редактор “Управление групповыми политиками” и не Групповая политика управления. Ensure that you select Group Policy Management Editor and not Group Policy Management. Если выбрать Групповая политика управления, конфигурация с использованием этих инструкций завершится ошибкой, а сертификат сервера не будет автоматически зарегистрирован в НПСС. If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPSs.

В Групповая политика объектнажмите кнопку Обзор. In Group Policy Object, click Browse. Откроется диалоговое окно ” Поиск объекта Групповая политика “. The Browse for a Group Policy Object dialog box opens.

В области домены, подразделения и связанные групповая политика объекты выберите Политика домена по умолчанию, а затем нажмите кнопку ОК. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.

Нажмите кнопку Готово, а затем — кнопку ОК. Click Finish, and then click OK.

Дважды щелкните Политика домена по умолчанию. Double-click Default Domain Policy. В консоли разверните следующий путь: Конфигурация пользователя, политики, Параметры Windows, Параметры безопасности. In the console, expand the following path: User Configuration, Policies, Windows Settings, Security Settings.

Щелкните политики открытого ключа. Click Public Key Policies. На панели подробностей дважды щелкните параметр Клиент службы сертификации: автоматическая регистрация. In the details pane, double-click Certificate Services Client – Auto-Enrollment. Откроется диалоговое окно Свойства . The Properties dialog box opens. Настройте следующие элементы и нажмите кнопку ОК. Configure the following items, and then click OK:

  1. В окне Модель конфигурации выберите параметр Включено. In Configuration Model, select Enabled.
  2. Установите флажок обновлять сертификаты с истекшим сроком действия, обновить отложенные сертификаты и удалить отозванные сертификаты . Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
  3. Установите флажок Обновлять сертификаты, использующие шаблоны сертификатов. Select the Update certificates that use certificate templates check box.

Нажмите кнопку ОК. Click OK.

Источник

Microsoft windows certificateservicesclient autoenrollment

The following forum(s) have migrated to Microsoft Q&A: All English Windows Server forums!
Visit Microsoft Q&A to post new questions.

Answered by:

Question

Certificate for local system with Thumbprint f4 51 39 57 e7 c9 36 80 06 e0 11 05 40 fd 51 c6 85 5f b1 71 is about to expire or already expired.

Certificate for local system with Thumbprint 8a b5 24 68 ae 1a fa 8c 1a 60 63 14 b3 48 81 82 3b 6f 97 56 is about to expire or already expired. is this something I need to fix what would you suggest

Answers

This is not a question we can answer for you. You would need to look at that certificate and determine what it is being used for. If its not being used or you don’t know why its there, then it may be unneeded and nothing needs to be done.

If this is server 2012 R2 or Windows 8+, you can run certlm.msc and look in Certificates\Personal to see the certificate and determine its purpose.

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

All replies

This is not a question we can answer for you. You would need to look at that certificate and determine what it is being used for. If its not being used or you don’t know why its there, then it may be unneeded and nothing needs to be done.

If this is server 2012 R2 or Windows 8+, you can run certlm.msc and look in Certificates\Personal to see the certificate and determine its purpose.

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

Thanks for your reply mark greatly appreciated I have many other things I need to fix 15 errors in total and 7 warnings as well so peace of mind puts my mind to ease a little will that command also work on windows 7 or what is different about 2012 R2 compared to windows 7 I understand they are different operating systems entirely since server 2012 r2 is virtual? don’t get me wrong but if that command works on windows 8 and up as well as server 2012 r2 then why would it not work on windows seven? which was made after server 2012? Unless windows seven was made before? That being said the errors I would like to try to fix on my own before asking for help as I have a good knowledge now about what I am doing and if I don’t know I put in the hours to find out before messing around as I have learnt from past experience do not wing it if you don’t know don’t touch! my next question though are audit success in the management console a good thing or bad a bit of both or nothing to worry about? I’m not to concerned but I know nothing about that particular area and I would like to know more under audit failure I only have 2 in the past 7 days? so is that something to be concerned about or no what is an audit and what is the difference between audit success and failure and do they need attention or is it really nothing at all?

under information I have 184 in the past hour 724 in the past 24 hours and 6,046 in the past seven days should I pay any attention to anything under hear at all or is it safe to just let it be? I’m trying to fix my computer in tip top shape I had to fix a lot as it had a lot wrong with it its defiantly running better now but any advice I can receive is great advice. 🙂

Ps I know the difference between success and failure what I don’t know is what the hell audits are?

Источник

Microsoft windows certificateservicesclient autoenrollment

The following forum(s) have migrated to Microsoft Q&A: All English Windows Server forums!
Visit Microsoft Q&A to post new questions.

Asked by:

Question

A certificate is about to or has expired, thats about the jist of things, i’ve seen this two days in a row now in the event viewer, strangely enough the thumpprint is different each day.

54 6f a8 8c 85 2e db fc 5b 60 7e 28 ea e0 73 71 3b c6 e8 7c

However the GUID remains the same : F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43 (not sure if that helps actually)

Now i’ve naturally looked this up before i came here but i cant solve it so far.

I’ve ran MMC and i’ve looked at every certificate list i can find, but the thumpprint.. how do recognise it?

Every certificate is listed as a normal name, not numbers.

And the only certificate i suspect MIGHT be the culprit, is the new XBL certificate, that seems to want an update every single day. (so yesterday it was valid untill 21-10, today it says 22-10, which seems highly irregular to me, hence my suspicion)

But it doesnt seem to match the thumpprint, is it literally supposed to say 54 6f etcetc? or is there another way im supposed to Uncover that?

I’m not a complete “noob” but this is definitely new to me. 😛

Just to be clear, im on a normal windows 10 home edition thats been upgraded from creators update to, eventually, the fall update.

Thats when the “trouble” started, and i’ve already asked on “microsoft answers”, but they directed me here, also im Dutch, so excuse my english if i mistakenly mistranslated something, but i think you get what the issue is.

Edit : i’ve also looked in the regedit and browsed the systemcertificate folders.

None of the folder names match the GUID or the thumpprint as far as i could tell.

The XBL certificate i mentioned, isnt listed amongst them, so maybe thats sitting somewhere else in the regedit.

Which to me seems more and more the culprit, also considering its only been going on the next day after the fall update, XBL services are installed since 18-10 according to apps and programs etc., 19-10 the messages started popping up when i turned on the computer. (i Always check eventviewer when i start it up, especially after big updates)

Every other certificate i can find is either expired years ago, the “shortest” time ago seems to be stemming from 19-4-2017, but thats not the one either.

Every other one is either listed as 2018 or well beyond.

Источник


Adblock
detector
ObjId