Configure Permissions on the Web Server Certificate Template

Updated: October 25, 2010

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

The DirectAccess server requires and network location servers might require certificates for Secure Sockets Layer (SSL) authentication that have customized certificate properties. To request and modify these certificates from an Active Directory Certificate Services (AD CS)-based certification authority (CA), you must modify the permissions of the Web Server certificate template.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create and enable certificate template settings on an AD CS-based CA. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure permissions for the Web Server certificate template

  1. On the CA computer, click Start, type certtmpl.msc, and then press ENTER.

  2. In the contents pane, right-click the Web Server template, and then click Properties.

  3. Click the Security tab, and then click Add.

  4. In Enter the object names to select, type the name of the security group that contains the computers that are allowed to request customized certificates, and then click OK.

    This security group should contain, at least temporarily when requesting custom certificates, the computer accounts of the DirectAccess server and network location server. As a security best practice, do not use the Authenticated Users group.

  5. In Permissions, click Enroll under Allow, and then click OK.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.