2.5.1 Determining Enrollment Permission of an End Entity for a Template

Following are the processing rules to determine enrollment for end entities on a certificate template. The protocol behavior for these permissions is specified in [MS-WCCE] section 3.2.2.6.2.1.4.3 "Verify End Entity Permissions".

Input Parameters:

Output Parameter: This parameter can be either TRUE or FALSE.

Processing Rules:

An entity (Active Directory user or group) has enrollment permission and output parameter is set to TRUE if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor contains an ACE that satisfies either one of the following sets of characteristics:

It has an object allowed ACE (see [MS-DTYP] section 2.4.4.3) that satisfies all of the following conditions:

  • The Requester_SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_OBJECT_ACE. This implies that it is an ACCESS_ALLOWED_OBJECT_ACE structure, as specified in [MS-DTYP] section 2.4.4.3.

  • The Mask field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

  • The ObjectType field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST be identical to the Enroll GUID in the following table. GUID is defined in [MS-DTYP] section 2.3.4.

Or,

It has an allowed ACE (see [MS-DTYP] section 2.4.4.2) that satisfies all the following conditions:

  • The Requester SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_ACE structure, as specified in [MS-DTYP] section 2.4.4.2.

  • The Mask field of the ACCESS_ALLOWED_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

An entity is denied enrollment permissions if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor has the same ACE as previously described, except that the AceType field is set to ACCESS_DENIED_OBJECT_ACE_TYPE.