question

RedWhiteBlack-5237 avatar image
0 Votes"
RedWhiteBlack-5237 asked DaisyZhou-MSFT commented

ADCS PKI: Certificates for Bastion Forest from Production Forest (on premise no Azure)

Is there any guidance in regards to whether a Windows Server 2019 Bastion forest should be issued certificates from the Windows Server 2019 Production forest for a on premise solution? I have searched and cannot find any answers to this question. Any advice would be appreciated.

windows-active-directorywindows-server-2019microsoft-identity-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered RedWhiteBlack-5237 commented

Hello @RedWhiteBlack-5237,

Thank you for posting here.

Based on the description, I understand you have PKI in your Production forest.

1.Would you please describe the meaning of the "Bastion Forest" in your case, so that we can help you better?
2.What is the relationship between Bastion Forest and Production forest?
3.Do they ahve any trust relationship?


Here we can see a bastion environment planing.
Planning a bastion environment
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Daisy,

We are following the planning bastion environment guide that you have referenced. To answer your questions;

  1. Meaning of bastion is as per your planning guide, i.e. a dedicated administrative forest.


  2. The trust relationship would be as per the planning guide production CORP forest should trust the administrative PRIV forest but not the other way around.


  3. It would be a one-way trust from CORP to PRIV.

We have not deployed the environment as yet, as we are in the planning and development stage. However the planning document you listed states that there should be logical separation between CORP and PRIV forest i.e. "The bastion environment must contain its own Active Directory Domain Services, providing Kerberos and LDAP, DNS, time and time services, to the bastion environment."

Does that logical separation extend to PKI as well? Or can cross forest certificates be used without breaking the bastion model?







0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @RedWhiteBlack-5237,

Thank you for your update.

Does that logical separation extend to PKI as well? Or can cross forest certificates be used without breaking the bastion model?

For cross forest certificates:

If there is two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
For more information we can refer to link below.
AD CS: Deploying Cross-forest Certificate Enrollment
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10)


If there is no two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
For more information we can refer to link below.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx


Hope the information above is helpful.


Best Regards,
Daisy Zhou

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Daisy,

The technical implementation isn't the issue i am aware of those guides but thank you for taking the time to post them. The issue specifically is "Can we use the CORP forest PKI to provide certificates to the PRIV (bastion) forest without breaking the logical separation of the bastion?"

I am struggling to find any written guidance from Microsoft on this specific point, hence posting my question here.

0 Votes 0 ·

Hello @RedWhiteBlack-5237,

Thank you for your update.

Would you please tell us the meaning of "the logical separation of the bastion"?

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello Daisy,

Look at your documentation: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment and the section on "Maintain logical seperation".

0 Votes 0 ·
Show more comments
RedWhiteBlack-5237 avatar image
0 Votes"
RedWhiteBlack-5237 answered DaisyZhou-MSFT commented

Hi Daisy,

Thank you. Just some feedback, it would be good if there was a "PKI" tag that could be attached to PKI questions rather than having to tag them as "windows server". When we still had technet social, Brian Komar, Mark Cooper, vadmins and other PKI experts would be very nice and get back to you fairly promptly. Which was always appreciated by the community.

What you have said wouln't maintain logical separation as the bastion PRIV forest needs to provide its own services and not be reliant on the CORP forest. However it would be really appreciated if one of your PKI experts, could clarify this issue definitively.

Kind Regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RedWhiteBlack-5237,

Thank you for your feedback.

There is no PKI tag now, for questions related to PKI, we usually use Windows-server-security tag.

We hope the experts from PKI can provide some useful information for you.

Thank you for your understand and support.


Best Regards,
Daisy Zhou

0 Votes 0 ·
Tom-Houston avatar image
0 Votes"
Tom-Houston answered DaisyZhou-MSFT commented

Hey @RedWhiteBlack-5237,

The best practice here I believe would be to deploy a separate PKI solution in the Bastion forest. This means the Bastion environment won't be impacted if the PKI in the Corporate forest is compromised.

Hope this helps.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Tom, thank you for your reply. Appreciated.

0 Votes 0 ·

Hello @Tom-Houston,

Thank you for your suggestion.

Hope more experts from PKI can provide more useful information.


Best Regards,
Daisy Zhou

0 Votes 0 ·