0

An environment had two Windows Certificate Authorities, publishing a computer certificate via auto-enrollment for DirectAccess authentication.

  • Customer CA 1
  • Customer CA 2

The Certificate authorities needed operating system to be upgraded, so two new CAs were created, these had same name as previous CA but with v2 added to name:

  • Customer CA v2 1
  • Customer CA v2 2

The previous Certificate Authorities were not decommissioned and remain online.

Now when client applies for auto-enrolment certificate it seems to randomly get certificate from old CA "Customer CA" or new CA "Customer CA v2"

Direct Access authentication only works when certificate is obtained from old "Customer CA"

Checking Direct Access remote access configuration can see it is configured to use old Customer CA, but it appears to only be able to select one certificate.

What are some ways this issue can be remediated?

My thoughts on some options:

1) Is there a way to ensure auto-enrolment occurs from both old CA and new CA, either via group policy or script?

2) Decomission Customer CA 1 & 2. Point Direct Access to Customer CA v2 certificate.

3) Allow certificates from Customer CA or Customer CA v2 in direct access, if this is possible. Can not immediately see how this could be achieved.

4) Redo the upgrade process in a way that ensures the new & old certificate is trusted by Direct Access. Unsure what this process may involve if possible.

Note: I was in no way have been involved in the CA upgrade process, I am looking at this after the fact.

Malcolm McCaffery
  • 273
  • 3
  • 12

1 Answers1

1

My solution, which I am not sure if it was the best solution was to was to setup a second Direct Access server, and have both the old and new CA setup.

Doing this takes a bit of work during the initial setup, and would require creating a new group for computers for the new CA. I also created a new certificate template for the new Direct Access. With the two CAs, and DirectAccess servers in place, and separate used to select which direct access servers the migration happened like this.

  • Old computers were in the old group and worked fine.
  • When I wanted to migrate a computer I removed it from the old direct access computers group to the new one
  • The off network computer would connect to the old server using the old policy config and would evaluate group policy.
    • The group policy told it to get a new cert using the new template which was configured to only be issued from the new CA.
    • The group policy told it to get the new DirectAccess config
    • All the old config would be removed since it no longer applied.

The computer would then re-connect to using the new cert/config to the new DirectAccess server.

Zoredache
  • 128,755
  • 40
  • 271
  • 413