0

I have an AD forest and one CA server. In the certificate template I have "Publish certificate in Active Directory" checkbox checked.

Also in the template, the Subject Name option is set to "Supply in the request". The certificates for all users is requested by a service account holding Enrollment Agent certificate.

The CN and SAN attributes in the certificate requests match that of the user object in AD DS.

However once the certificate is issued by the CA, it is getting published to the service account (the requestor) instead of actual user account.

Refer the last comment (dated May 17, 2018) in this thread - https://social.technet.microsoft.com/Forums/en-US/7c336ce5-9f7c-4713-9e27-8a59273b3182/how-does-the-ca-perform-this-quotpublish-certificate-in-active-directoryquot?forum=winserversecurity. I'm facing similar issue.

However, the accepted answer in above post states the certificate should have been published to the user account and not the service account. But the actual observed behavior is different.

Could somebody please guide how to fix this? Thanks.

ramtech
  • 133
  • 4
  • What is the point to publish the certificate in AD? – Crypt32 Aug 20 '20 at 09:39
  • @Crypt32 There are some services that authenticate the users based on these certificates. Authentication fails if it is not published to the right user. – ramtech Aug 20 '20 at 10:30

1 Answers1

0

If it's just not working the way you want it to, you could have the EA publish the certificate to the user account in AD as part of their process. ("Just" script it).

It's a bit less common to see uses for the userCertificate attribute these days (i.e. Publish to Active Directory); more common to see use of the certificate itself as the validating item. (i.e. cert says CN=Bazza; was issued by trusted Issuer; ergo user is Bazza regardless of presence on AD user account).

TristanK
  • 9,073
  • 2
  • 28
  • 39