Integration with Active Directory and Distributed Security Services

Windows 2000 Certificate Services form the core of the Windows 2000 public key infrastructure. Enterprise certificate services are integrated with Active Directory and distributed security services, as shown in Figure 16.1.

Figure 16.1 Certificate Services in Windows 2000

You can install Windows 2000 Certificate Services to create certification authorities (CAs) for issuing and managing digital certificates. Active Directory contains information that enterprise CAs require, such as user account names, security group memberships, and certificate templates. Active Directory also contains information about each enterprise CA that is installed in the domain. Certificate requests are usually sent to enterprise CAs that process the requests to either deny or approve them. Issued certificates are distributed to Active Directory and to the requestor's computers. CAs also publish certificate revocation lists to Active Directory.

In addition, Active Directory stores Public Key Group Policy for distribution to all computers that are within the scope of the policy. Public Key Group Policy enables you to control which CAs are to be trusted in the enterprise, to specify alternative EFS recovery agents, and to configure automatic enrollment and renewal of certificates for Windows 2000based computers — all from a central administration point.

Active Directory also supports mapping certificates to network user accounts for authenticating clients and controlling access to network resources. Using smart cards for the user logon process is a special case of certificate mapping that extends the Kerberos v5 authentication protocol to include authentication of users on the basis of certificates and private keys that are stored on smart cards. Using smart cards for the user logon process provides enhanced security for user authentication and a single set of user credentials for logging on locally or remotely over a network.