Friday, October 8, 2021

MS CA template name not in Cert extension

Haven't really found any help on the internet so hoping someone here could help me...

I'm trying to configure up Anyconnect with MS CA. I've managed to get Proxy SCEP and OCSP to work so users can autoenroll and the firewall checks with the CA to make sure the ID cert from the user hasn't been revoked. My only problem now is making sure the CA only issues out 1 cert for each user, this stops them using multiple machines.

I've enabled the no reenroll if duplicate certificate exists in AD as from my understanding this will stop the CA from dishing out multiple certs to the same users. But this still does not work. Online research suggests its to do with the certs not containing the template name in the Certificate Template Information extension. I've checked out my ID cert on my test PC and only my OID is in there. How do I add the template name to this extension, I can't find anything about it.

The machines the users that are logging in with are NOT on the domain, I have a bad feeling this has something to do with it...

Any help will be greatly appreciated.



No comments:

Post a Comment