Configure Computer Certificate Autoenrollment
Published: October 7, 2009
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=179989).
The default connection security rules use a computer certificate for Internet Protocol security (IPsec) peer authentication. This requires a certificate on DirectAccess clients, DirectAccess servers, and selected servers with either the Client Authentication or IP Security IKE Intermediate object identifier (OID). The easiest way to deploy certificates containing the Client Authentication OID to both DirectAccess clients and servers is to configure certificate autoenrollment for the built-in Computer Certificate template.
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To configure computer certificate auto-enrollment
On a domain controller, click Start, type gpmc.msc, and then press ENTER.
In the console tree of the Group Policy Management console, open the domain that contains DirectAccess client and server computer accounts.
In the console tree, right-click the Group Policy object that applies to all of your domain accounts, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
In the Automatic Certificate Request Wizard, click Next.
On the Certificate Template page, click Computer, click Next, and then click Finish.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.