Permissions required for FAS Certificate Templates
Article ID: CTX237503
Updated On:
Description
Domain computers generating many requests on Certificate Authority (CA)
Environment
This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.
Resolution
Citrix recommends the following permissions on certificate templates:
NOTE : Always use FAS CERT Templates which is associated with the FAS product version. Do not use older version of FAS CERT Templates in the CA.
This causes domain computers to attempt to enroll automatically on these templates and produced "Failed Request in the Certificate Authority".
- For security reasons, remove domain computers from the Citrix_RegistrationAuthority_ManualAuthorization, Citrix_RegistrationAuthority, and Citrix_SmartLogon templates.
- Add FAS servers explicitly (or an AD security group that contains only FAS servers) and give Read and Enroll permissions on each certificate template used by FAS Servers.
- Add Read permission to Authenticated Users.
- Optionally, Add Read and Write permission to Enterprise Admins.
NOTE : Always use FAS CERT Templates which is associated with the FAS product version. Do not use older version of FAS CERT Templates in the CA.
Problem Cause
Older version of FAS deploy certificate templates with the auto-enroll permission for domain computers.This causes domain computers to attempt to enroll automatically on these templates and produced "Failed Request in the Certificate Authority".
Was this article helpful?
Yes
No
Powered by
