000027027 - Auto Enrollment Proxy incorrectly allows enrollment

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027027
Applies ToRSA Certificate Manager 6.8
Microsoft Windows Server 2003 SP2
Auto Enrollment Proxy (AEP)
IssueAuto Enrollment Proxy incorrectly allows enrollment

AEP allows windows clients to enroll for certificate templates that they should not be authorized to enroll for.

For example: Web Server v1 template is configured with the following security permissions:

-Authenticated Users: Read

-Domain Admins: Read / Write / Enroll

-Enterprise Admins: Full Control

The Web Server v1 template is NOT configured on any of the enrollment objects in AD.

When a user installs LogMeIn on a member of a domain that has available certificate enrollment services, the installer appears to submit a request to any active Enterprise Enrollment object for a Web Server certificate.

The Auto Enrollment Proxy accepts and processes the request, even though neither the computer nor the user performing the installation have enrollment privileges for the Web Server template.

Resolution

The AEP does not check what windows clients can enroll for certificate templates. The AEP receives the request and then forwards the request to the RCM CA.

Legacy Article IDa55458

Attachments

    Outcomes