Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
The tab contains parameters of working with Microsoft Certification Authorities. To add a certification authority, click Add CA.
Image RemovedImage Added
Set the address of certification authority (if it was not found automatically) and specify the user account data with Enrollment Agent certificate, then click Add.
Warning |
---|
Presence of user with Enrollment Agent certificate is mandatory for Indeed CM to work with CA correctly. This user account is utilized to request certificates for other Indeed CM users from the specified certification authority. This user account data can be changed after a CA is added (see Working with Microsoft Enterprise CA section of Indeed CM Installation and configuration). |
To change the account data of the user with Enrollment Agent certificate, select the Certification Authority and click Image Removed Image Added to the right of user name. To remove a certification authority, click theImage RemovedImage Added.
Indeed CM supports using multiple certification authorities of an organization. You can add several CA for a single policy or create several policies and define a separate CA for each of them.
To add a CA that is beyond the domain of Indeed CM users (say, in another independent domain of your organization), proceed as follows:
1. Click Add CA.
2. In the Address field, specify the URL of Indeed CM MSCA Proxy application.
Info |
---|
See Connecting to Microsoft CA via IndeedCM.MSCA.Proxy section of Indeed CM Installation and configuration. If Indeed CM is deployed in a domain forest, MSCA Proxy is not required. In this case the CA address is specified in the Address field. |
3. Specify the user account and its password (in Domain/Name format) with Enrollment Agent certificate at CA which is beyond the domain of Indeed CM users.
4. Enable the Issue certificates for users from external associated catalog.
5. Specify the path to Indeed CM user directory of the external domain in the LDAP field.
Info | ||
---|---|---|
| ||
The Indeed CM is deployed in demo.local domain and user certificates are issued by the CA deployed in the same domain. When adding the CA deployed in demo2external.localcom domain, you should specify the path to user directory in the domain, where Indeed CM users have another domain account, for which the added CA should issue the certificates.
|
6. Specify the account with privileges to read all user properties of external domain in the User name field (in Domain/User format). You can use the account specified at step 3 for that.
Tip |
---|
To configure the permission to read required properties only, please refer to Configuring the user catalog in Active Directory section of Indeed CM Installation and configuration. |
7. Specify the attribute (Common name (CN), E-mail or Logon name (sAMAccountName)), which is to be used by Indeed CM to determine uniqueness of a user with accounts in each of the domains, in the Catalogs associating attribute. Figure shows an example of settings for external Microsoft CA.
Image RemovedImage Added