Domain Name System (DNS) - Uwe Gradenegger

A policy module to tame them all: Introducing the TameMyCerts Policy Module for the Microsoft Certification Authority.

As a Certification Authority operator, you are (among other things) responsible for the identification of the enrollees and the confirmation of the requested identities. The fact that this task is carried out conscientiously and without error is the central pillar of the trust placed in the certification body. Well-known companies are already failed in this task, even had to file for insolvency as a result of misrepresentations and / or were taken over by the big players in the market sensitive punished.

In many cases, we as (Microsoft) PKI operators in companies (regardless of the associated quality) are able to delegate our task of uniquely identifying an applicant to the Active Directory. In many cases, however, we unfortunately also have to instruct our certification authority(ies) to simply issue everything that is requested.

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Perform functional test for certification authority web registration (CAWE)

After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_NAME_NOT_RESOLVED".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

A user requests a certificate.
An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
The connection to the CEP fails and the user receives the following error message:

Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

When calling the Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin), one is always prompted to log in.

Assume the following scenario:

An NDES server is configured on the network.
The NDES server is called under a DNS alias.
Despite entering the correct login data, you are always prompted to log in again when you access the NDES administration web page (certsrv/mscep_admin).