Establish Restricted Enrollment Agents
Applies To: Windows Server 2008 R2
An enrollment agent is a user who can enroll for a certificate on behalf on another client. Unlike a certificate manager, an enrollment agent can only process the enrollment request and cannot approve pending requests or revoke issued certificates.
Windows Server 2008 R2 includes three certificate templates that enable different types of enrollment agents:
Enrollment Agent. Used to request certificates on behalf of another subject.
Enrollment Agent (Computer). Used to request certificates on behalf of another computer subject.
Exchange Enrollment Agent (Offline Request). Used to request certificates on behalf of another subject and supply the subject name in the request. This template is used by the Network Device Enrollment Service for its enrollment agent certificate.
When you create an enrollment agent, you can further refine the agent's ability to enroll for certificates on behalf of others by group and by certificate template. For example, you might want to implement a restriction that the enrollment agent can only enroll for smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.
This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
You can only apply enrollment agent restrictions on Windows Server 2008–based CAs. Enrollment agent policy must also be configured properly.
You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure. For more information, see Implement Role-Based Administration.
To configure enrollment agent restrictions for a CA
Open the Certification Authority snap-in, right-click the name of the CA, and then click Properties.
Click the Enrollment Agents tab, click Restrict enrollment agents, and click OK on the message that appears.
Under Enrollment agents, click Add, type the names of the users or groups that you want to configure, and then click OK. Click Everyone, and then click Remove.
Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to be able to enroll from, and then click OK. Repeat this step until you have selected all certificate templates that you want to enable for this enrollment agent. When you have finished adding the names of certificate templates, click <All>, and then click Remove.
Under Permissions, click Add, type the names of the users or groups for whom you want the enrollment agent to manage the defined certificate types, and then click OK. Click Everyone, and then click Remove.
If you want to block the enrollment agent from managing certificates for a user, computer, or group, under Permissions, select this user, computer, or group, and then click Deny.
When you are finished configuring enrollment agent restrictions, click OK or Apply.
The user or group that you applied enrollment agent restrictions to must have a valid enrollment agent certificate for the CA before they can act as an enrollment agent, whether restricted enrollment agent permissions have or have not been configured.