How clients get a certificate if there are multiple Ca installed in AD?

Amol Vyawahare 1 Reputation point
2021-03-04T11:31:42.25+00:00

I have a environment where 2 Subordinate Cas are installed in each domain. I can see that the clients from that domain are equally getting certificates form both. Who is doing round robin in this case? When clients discoverers Ca, and if AD replies, does it provide the name of Ca in round robin fashion? Second question, i understood that certificate authority is forest entity, then why my clients are getting certificates only from that domains Ca server? (Domain Computers is added in cert security template to read and enroll? is that the reason?) Any GPO setting, or any AD setting can tell clients, this is your domain, and this is your CA? OR, this template you need to get. Autoenroll is enforced on clients via GPO.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amol Vyawahare 1 Reputation point
    2021-03-04T12:25:30.613+00:00
    0 comments
  2. Vadims Podāns 8,866 Reputation points MVP
    2021-03-04T21:04:57.493+00:00

    The CA selection is approximately this:

    Without Enrollment Policy Service:

    1. Get all enterprise CAs from AD and create List1
    2. Select CAs that have requested certificate templates and create List2
    3. If List2 is empty, stop processing
    4. Select CAs that are site-aware and match client site and create List3
    5. if resulting List3 is empty, use list obtained in step 2 and create List3
    6. randomize List3 and pick arbitrary CA

    With Enrollment Policy Service:

    1. build a list of Policy Servers using: Group Policy, local cache, locally configured policies
    2. order policy servers in ascending order by Cost property. Policy servers with lower cost will be tried first
    3. Iterate over Policy Server list and for each server:
    4. Get list of CAs advertised by policy server and create List1
    5. Select CAs that have requested certificate templates and create List2
    6. If List2 is empty, continue with next Policy Server
      6.1. If there is no next Policy Server, return error
    7. Order List2 by Cost property. CAs with lower cost will be tried first.

    this is very high-level flow on a client.

    0 comments