|Applies To||RSA Certificate Manager 6.8|
Microsoft Windows Server 2003 SP2
Auto Enrollment Proxy (AEP)
|Issue||Auto Enrollment Proxy incorrectly allows enrollment|
AEP allows windows clients to enroll for certificate templates that they should not be authorized to enroll for.
For example: Web Server v1 template is configured with the following security permissions:
-Authenticated Users: Read
-Domain Admins: Read / Write / Enroll
-Enterprise Admins: Full Control
The Web Server v1 template is NOT configured on any of the enrollment objects in AD.
When a user installs LogMeIn on a member of a domain that has available certificate enrollment services, the installer appears to submit a request to any active Enterprise Enrollment object for a Web Server certificate.
The Auto Enrollment Proxy accepts and processes the request, even though neither the computer nor the user performing the installation have enrollment privileges for the Web Server template.
The AEP does not check what windows clients can enroll for certificate templates. The AEP receives the request and then forwards the request to the RCM CA.
|Legacy Article ID||a55458|