Browse by Tags

Tagged Content List
  • Wiki Page: How to Publish the CRL on a Separate Web Server

    By default, an issuing enterprise CA publishes its certificate revocation list (CRL) to locations within the forest. When you are using Internet-based client management with Configuration Manager, there are scenarios where you might need to publish the CRL on a separate server, outside the forest....
  • Wiki Page: How to Configure UAG to Publish Your Private Certificate Revocation List

    [This article originally appeared in the Edge Man blog at http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx . Feel free to enhance and improve it! --Tom.] In order for SSTP (Secure Socket Tunneling Protocol) and...
  • Wiki Page: Certificate Revocation List (CRL) Verification - an Application Choice

    It seems to be a FAQ disabling revocation checking in specific scenarios. This can be either a test or a formerly badly configured environment. While it is not recommended to turn off revocation checking , I want to provide you some references where you can find technical information to alter the...
  • Wiki Page: Understanding Access to Microsoft Certificate Revocation List

    High-Level Overview We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps. Join the community ! Introduction...
  • Wiki Page: AD FS 2.0 & Higher: Truncate strings in claims using RegEx

    Scenario: There is an incoming claim ( or user attribute ) that is being sent to a relying party When the claim is sent, the value must not exceed a certain character limit Data that exceeds this limit must be truncated to accommodate this requirement Example: Incoming claim http...
  • Wiki Page: How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

    It is highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. It is recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can be turned...
  • Wiki Page: AD FS 2.0: Selectively send group membership(s) as a claim

    You can send group membership as claims by using the built in templates Create a new rule, choose “Send LDAP Attributes as Claims” Choose Active Directory as the Attribute Store, and choose the LDAP Attribute “Token-Groups – Unqualified Names” and the claim type as “Group” This will send...
  • Wiki Page: AD LDS and ADAM: Publishing a Certificate Revocation List (CRL) to the Directory Fails

    Symptoms Publishing a certificate revocation list (CRL) to AD LDS or ADAM fails The publishing method could be certutil.exe or a directory synchronization tool You may see events similar to the following: Log Name: ADAM (Instance-Name) Source: ADAM [Instance-Name] LDAP Date...
  • Wiki Page: Large CRLs: What is Added to a Certificate Revocation List (CRL)?

    This article discusses the reasons a certificate revocation list (CRL) can become large. The contents of this article include the following: Table of Contents What makes large CRL? Additional References What makes large CRL? There is really one item that makes the CRL grow: revoked certificates...
  • Wiki Page: AD FS 2.0: Dynamic Claim Types

    Dynamic Claim Types There is data stored about a user in a SQL database ( or other attribute store ). The data stored about the user in the database needs to be a part of the claim type and not the value of the claim. For example, properties “ Redmond ” and “ Building3 ” stored in a database...
  • Wiki Page: AD FS 2.0: Domain Local Groups in a claim

    Introduction The basic method for adding group memberships into claims is using Send LDAP Attributes as Claims and picking one of the tokenGroups options. This method works for global and universal groups, but will leave out any domain local groups. The primary reason for this is there is no intuitive...
  • Wiki Page: UAG DirectAccess Test Lab Guide CRL Check Update

    Jim Harrison recently pointed out to me that there’s a small problem with the UAG DirectAccess Test Lab Guide, which you can find over at http://technet.microsoft.com/en-us/library/ee861167.aspx If you haven’t seen the Test Lab Guide yet, or if you haven’t had a chance to run it, I...
Page 1 of 1 (12 items)
Can't find it? Write it!