AD CS: Restricted Enrollment Agent
Updated: April 7, 2010
Applies To: Windows Server 2008
The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. The following sections describe this change and its implications.
Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.
This feature applies to organizations that have public key infrastructures (PKIs) with one or more Windows Server 2008 Enterprise-based CAs and that require trusted entities to be able to request smart card certificates on behalf of other users.
Using restricted enrollment agents will impact the performance of the CA; to optimize performance, you can minimize the number of accounts listed as enrollment agents. It is also recommended that you minimize the number of accounts in the permissions list for the enrollment agent. As a best practice, use group accounts in both lists instead of individual user accounts.
Windows Server 2008 uses version 3 certificate templates. Version 3 certificate templates can be opened only by a computer running the Windows Server 2008 or Windows Vista® operating systems. You cannot open or modify version 3 templates on computers that run earlier versions of Windows.
Intermittently, new certificate templates will not appear in the list of certificates available in the Certificate Templates snap-in while the Certification Authorities dialog box is open. Close the dialog box and reopen it to see the new template in the available list.
In Windows Server® 2003 Enterprise Edition it is not possible to permit an enrollment agent to enroll only a certain group of users. In Windows Server 2008 the PKI architecture of an enterprise will be able to restrict enrollment agents so that enrollment is only possible for a certain certificate template. By limiting the scope of enrollment agents, an enterprise is better able to control the delegation of trust and the risk associated with granting that trust.
In Windows Server 2003 Enterprise Edition the enterprise CA does not provide any configurable means to control enrollment agents except by enforcing the application policy extension of the enrollment agent certificate, which verifies that the credentials grant the ability to enroll on behalf of other users. The enrollment agent certificate is a certificate containing the "Certificate Request Agent" application policy extension; the object identifier (also known as OID) is 126.96.36.199.4.1.3188.8.131.52.
In Windows Server 2008 Enterprise, the restricted enrollment agent allows limiting the permissions that enrollment agents have for enrolling smart card certificates on behalf of other users so that the process of enrolling on behalf of other users can be delegated to other individuals within more controlled parameters. By using the Certificate Services snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.
Before configuring restricted enrollment agents, you should create security groups in Active Directory Domain Services (AD DS). Depending on your restriction policy, you may have a security group for all enrollment agents in a registration authority and also a different security group for the users that are assigned to a registration authority. With those two security groups per registration authority, you are able to precisely limit the capabilities of the enrollment agents.