How do I differentiate between a User or Computer certificate in my certificate templates? I currently have a template designed for a webserver SSL certificate, however, both users and computers can request it. I've tested this with the computer and user MMC-snapin. I would like to how to constrain the certificate template only to computers and not for users.
Kind regards,
In fact, they are already constrained by subject types:
subject type is primarily used to define some subject-specific settings. For example, if subject type is CA, then Basic Constratints extension is enabled by default and cannot be disabled and removes request handling, cryptography, subject name tabs. When using Certificates MMC snap-in, it filters available templates by subject type. If snap-in context is set to user, then only templates with SubjectType = User are shown. If snap-in context is set to computer, then only templates with SubjectType = Computer are shown.
However, this constraint doesn't restrict users from enrolling of any type of template. It is intended behavior, because ADCS supports different enrollment scenarios, such as disconnected (when client do not have direct access to CA and submits CSR manually) environments and E(R)OBO (Enroll/Request On Behalf Of) where enrollment agent performs certificate enrollment for different subject types. It is by design, cannot be turned off or changed.
What you really should do -- assign permissions on templates respectively to subject type. If it is user template, then assign Enroll/Autoenroll permissions only to groups that contain user accounts. If it is computer template, assign permissions only to groups that contain computer accounts. That is, you have to constrain templates using permissions only.
When changing permissions, do not remove Authenticated Users: Read permissions, because it will prevent everyone from enrolling this template.
