|
|
You're in the
iis security
group:Certsrv on a remote server
iis security:
Everyone,
I have an environment that uses a Stand-alone CA to issue certificates to remote users from a public web site using web enrollment. This cert is used for authentication for another web site. Right now I have a server farm behind load balancers, but only one of them is configured as CA with the web-enrollment piece (certsrv). As you can imagine, this acts as a single point of failure and means that we can't use the load balancers for this; we have to always go to the single server. I would like to put copies of Certsrv on the other web servers so that I could balance these, but I am concerned with the communication between web enrollment and the CA and what the configuration steps would be. I am trying to avoid the overhead of configuring subordinates on the other web servers and issuing locally. Advice? -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need
Just a heads up for futures reference:
You can cluster Certificate Services on Windows Server 2008, Enterprise Edition. Not the Web enrollment pages, but the CA itself. Brian [quoted text, click to view] "Dobromir Todorov" <dtodorov@msn.com> wrote in message
news:%23I5c15QbIHA.5400@TK2MSFTNGP03.phx.gbl... > Certificate Services do *not* support clustering. Whatever you do, > certificates issued by a CA will have to be signed using this CA's private > key and by definition, there should be one, secret copy of this key on a > single server (and not a cluster). > > The way around this is a multitier hieararchy, as you've mentioned below. > If you decide to go for a collapsed root/policy CA, you can install that > on a single (preferably offline - so not on your Web farm) root server, > and then you can install subordinate CAs on all the Web servers (yeah, I > know you were trying to avoid this...). All certificates issued by > subordinates will be part of the same CA hieararchy, therefore clients > will trust one another. > > A note on load balancing: when the client returns to the Web server to > obtain a certificate that they previously applied for, they must hit the > same Web server. Therefore, you will have to set client affinity, and it > needs to be such that even if the client returns after a week, she should > still hit the same server... This is so far the trickiest bit - and I > guess you will need to review your load balancer documentation to find out > whether this is doable at all, as affinity typically has a limited timeout > period. > > A note on unavailable CAs: Note, that if the CA is unavailable (not the > CRL DP, the actual CA registration authority, so the CERTSRV pages), then > users will simply not be able to request *new* certificates until the CA > becomes available again. However, all issued certificates will work. Hence > the reason why CAs are not necessarily Load Balancer and Clustering > friendly. > > -- > --- > HTH, > Dobromir > > Visit http://www.iamechanics.com > > "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message > news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com... >> Everyone, >> >> I have an environment that uses a Stand-alone CA to issue certificates to >> remote users from a public web site using web enrollment. This cert is >> used >> for authentication for another web site. >> >> Right now I have a server farm behind load balancers, but only one of >> them >> is configured as CA with the web-enrollment piece (certsrv). As you can >> imagine, this acts as a single point of failure and means that we can't >> use >> the load balancers for this; we have to always go to the single server. >> >> I would like to put copies of Certsrv on the other web servers so that I >> could balance these, but I am concerned with the communication between >> web >> enrollment and the CA and what the configuration steps would be. I am >> trying >> to avoid the overhead of configuring subordinates on the other web >> servers >> and issuing locally. >> >> Advice? >> -- >> Ryan Hanisco >> MCSE, MCTS: SQL 2005, Project+ >> http://www.techsterity.com >> Chicago, IL >> >> Remember: Marking helpful answers helps everyone find the info they need >> quickly. > >
Certificate Services do *not* support clustering. Whatever you do,
certificates issued by a CA will have to be signed using this CA's private key and by definition, there should be one, secret copy of this key on a single server (and not a cluster). The way around this is a multitier hieararchy, as you've mentioned below. If you decide to go for a collapsed root/policy CA, you can install that on a single (preferably offline - so not on your Web farm) root server, and then you can install subordinate CAs on all the Web servers (yeah, I know you were trying to avoid this...). All certificates issued by subordinates will be part of the same CA hieararchy, therefore clients will trust one another. A note on load balancing: when the client returns to the Web server to obtain a certificate that they previously applied for, they must hit the same Web server. Therefore, you will have to set client affinity, and it needs to be such that even if the client returns after a week, she should still hit the same server... This is so far the trickiest bit - and I guess you will need to review your load balancer documentation to find out whether this is doable at all, as affinity typically has a limited timeout period. A note on unavailable CAs: Note, that if the CA is unavailable (not the CRL DP, the actual CA registration authority, so the CERTSRV pages), then users will simply not be able to request *new* certificates until the CA becomes available again. However, all issued certificates will work. Hence the reason why CAs are not necessarily Load Balancer and Clustering friendly. -- --- HTH, Dobromir Visit http://www.iamechanics.com [quoted text, click to view] "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com... > Everyone, > > I have an environment that uses a Stand-alone CA to issue certificates to > remote users from a public web site using web enrollment. This cert is > used > for authentication for another web site. > > Right now I have a server farm behind load balancers, but only one of them > is configured as CA with the web-enrollment piece (certsrv). As you can > imagine, this acts as a single point of failure and means that we can't > use > the load balancers for this; we have to always go to the single server. > > I would like to put copies of Certsrv on the other web servers so that I > could balance these, but I am concerned with the communication between web > enrollment and the CA and what the configuration steps would be. I am > trying > to avoid the overhead of configuring subordinates on the other web servers > and issuing locally. > > Advice? > -- > Ryan Hanisco > MCSE, MCTS: SQL 2005, Project+ > http://www.techsterity.com > Chicago, IL > > Remember: Marking helpful answers helps everyone find the info they need > quickly.
Dobromir,
Thanks for confirming that. I had kind of resigned myself to the fact that I would need to build out the CA structure to support this. As to the certs re-registering, this will not be an issue as the business requirements are to "permanently" brand a machine as being valid to interact with the site. This means issuing a very long duration. This should get it done. Thanks so much for your feedback. You too, Brian. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. [quoted text, click to view] "Dobromir Todorov" wrote:
> Certificate Services do *not* support clustering. Whatever you do, > certificates issued by a CA will have to be signed using this CA's private > key and by definition, there should be one, secret copy of this key on a > single server (and not a cluster). > > The way around this is a multitier hieararchy, as you've mentioned below. If > you decide to go for a collapsed root/policy CA, you can install that on a > single (preferably offline - so not on your Web farm) root server, and then > you can install subordinate CAs on all the Web servers (yeah, I know you > were trying to avoid this...). All certificates issued by subordinates will > be part of the same CA hieararchy, therefore clients will trust one another. > > A note on load balancing: when the client returns to the Web server to > obtain a certificate that they previously applied for, they must hit the > same Web server. Therefore, you will have to set client affinity, and it > needs to be such that even if the client returns after a week, she should > still hit the same server... This is so far the trickiest bit - and I guess > you will need to review your load balancer documentation to find out whether > this is doable at all, as affinity typically has a limited timeout period. > > A note on unavailable CAs: Note, that if the CA is unavailable (not the CRL > DP, the actual CA registration authority, so the CERTSRV pages), then users > will simply not be able to request *new* certificates until the CA becomes > available again. However, all issued certificates will work. Hence the > reason why CAs are not necessarily Load Balancer and Clustering friendly. > > -- > --- > HTH, > Dobromir > > Visit http://www.iamechanics.com > > "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message > news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com... > > Everyone, > > > > I have an environment that uses a Stand-alone CA to issue certificates to > > remote users from a public web site using web enrollment. This cert is > > used > > for authentication for another web site. > > > > Right now I have a server farm behind load balancers, but only one of them > > is configured as CA with the web-enrollment piece (certsrv). As you can > > imagine, this acts as a single point of failure and means that we can't > > use > > the load balancers for this; we have to always go to the single server. > > > > I would like to put copies of Certsrv on the other web servers so that I > > could balance these, but I am concerned with the communication between web > > enrollment and the CA and what the configuration steps would be. I am > > trying > > to avoid the overhead of configuring subordinates on the other web servers > > and issuing locally. > > > > Advice? > > -- > > Ryan Hanisco > > MCSE, MCTS: SQL 2005, Project+ > > http://www.techsterity.com > > Chicago, IL > > > > Remember: Marking helpful answers helps everyone find the info they need > > quickly. > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |