Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 2) - Creating a certificate revocation list (CRL) distribution point on the DirectAccess server

9/9/2012 9:25:35 PM

Creating a certificate revocation list (CRL) distribution point on the DirectAccess server

In this section, we will configure a location on the DirectAccess server to store the CRL for clients connecting to the server. We will make this CRL web enabled by creating an IIS Web site on the DirectAccess server. We will then configure the Certificate Authority to publish the CRL to the DirectAccess server via a shared folder. To accomplish the above tasks, perform the following:

Log on to the DirectAccess server (LABDA1) and create a new folder on the root of C: named CRL (see Figure 5).

Figure 5. New folder to store CRL information.

Add the Web server role by opening Server Manager.

Then select the Roles node and click the Add Roles link in the middle pane.

Click Next to begin the Add Roles Wizard.

Select the Web Server (IIS) role as seen in Figure 6. Then click Next.

Figure 6. Select Web Server Role.

On the Introduction page click Next.

Accept the default role services and click Next.

Verify settings on the Confirmation Page. Then click Install.

When the installation is complete, click Close to close the Add Roles Wizard.

To create a Web site which will be used for web CRL distribution, perform the following:

Open Server Manager and expand the Roles | Web Server (IIS) nodes.

Select the newly added Internet Information Services (IIS) Manager node.

In the middle pane, expand the Sites node to reveal the Default Website.

Select the Default Website and then click the Basic Settings link in the right pane.

Change the Physical path to point to the CRL folder that you previously created (see Figure 7). Then click OK.

Figure 7. Set Web Site home folder to CRL path.

In the middle pane, double-click the Directory Browsing option. Then click the Enable link in the right actions pane as seen in Figure 8.

Figure 8. Allowing Directory Browsing of CRL Web Site.

Close Server Manager.

We now need to share the CRL folder and give the Certificate Authority permission to access it. Perform the following steps to set up the CRL shared folder:

Browse to the CRL folder you previously created at the root of C:\. Right-click the CRL folder and choose Properties.

Select the Sharing tab and click the Advanced Sharing button as seen in Figure 9.

Figure 9. Sharing Properties.

Click the Share this folder checkbox in the Advanced Sharing window. Then click the Permissions button (see Figure 10).

Figure 10. Advanced Folder Sharing.

Click the Add button. Then click Object Types.

From the Object Types window, select Computers as seen in Figure 11. Then click OK.

Figure 11. Enable selection of the computer Object Type.

Enter the name of the Certificate Authority computer and click OK.

Allow the CA computer Full Control permissions. Then click OK.

Click OK on the Advanced Sharing window and click Close on the Properties window.

You now need to enable the server as a CRL distribution point and publish the CRL to the distribution point. Perform the following to complete these tasks:

Log on to the Certificate Authority and Open Server Manager.

Expand the nodes Roles | Active Directory Certificate Services.

Right click the node representing the Certificate Authority, and select Properties (see Figure 12).

Figure 12. Active Directory Certificate Services CA Server.

Select the Extensions tab in the CA Properties window.

Click Add to add a new CRL distribution point.

Enter the URL you wish to use for the CRL located on the DirectAccess server.

Select the variable <CAName> and click Insert.

Select the variable <CRLNameSuffic> and click Insert.

Select the variable <DeltaCRLAllowed> as seen in Figure 13. Then click Insert.

Figure 13. Add CRL Location.

Go to the end of the long URL string created in the Location field and enter a .crl at the end of the string. Then click OK.

Select the options Include CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.

Click the Add button.

In the Location text box, enter\\locationofDAServer\CRL\ (see Figure 14).

Figure 14. Location of CRL shared folder.

Select the variable <CAName> and click Insert.

Select the variable <CRLNameSuffix> and click Insert.

Select the variable <DeltaCRLAllowed> and click Insert.

Again add .crl to the end of the newly created location string as seen in Figure 15.

Figure 15. Newly Constructed CRL string.

Select the option Publish CRLs to this Location.

Select the option Publish Delta CRLs to this Location (see Figure 16) and click OK.

Figure 16. CRL publishing options.

When prompted to restart Active Directory Certificate Services, click Yes.

Expand the Certificate Authority node within Server Manager.

Right click on the Revoked Certificates node and select All Tasks | Publish.

Choose the option New CRL and click OK. This will publish the full CRL to the path, making it accessible via file share and the default Web site on the DirectAccess server.
  •  Windows Server 2008 R2 and Windows 7 : Planning to Deploy Directaccess
  •  Iwork Pro : Export Strength
  •  Is It Time To Ditch Windows Search? (Part 4) - Power tools,Search for files over Wi-Fi, Search your PC from your mobile phone
  •  Is It Time To Ditch Windows Search? (Part 3) - Search across the LAN
  •  Is It Time To Ditch Windows Search? (Part 2) - Search within files
  •  Is It Time To Ditch Windows Search? (Part 1) - Simple filename searches
  •  In Search Of The Perfect Mid-Tower (Part 4) - Thermaltake Level 10 GTS
  •  In Search Of The Perfect Mid-Tower (Part 3) - Corsair Obsidian 550D, NZXT Phantom 410 Gunmetal Edition
  •  In Search Of The Perfect Mid-Tower (Part 2) - Corsair Vengeance C70, MSI Ravager
  •  In Search Of The Perfect Mid-Tower (Part 1) - Antec Eleven Hundred, Silverstone Temjin Tj04-E
  •  Rebuilding The Dream (Machine) (Part 3)
  •  Rebuilding The Dream (Machine) (Part 2)
  •  Rebuilding The Dream (Machine) (Part 1)
  •  Toshiba Satellite C840 Review (Part 2)
  •  Toshiba Satellite C840 Review (Part 1)
  •  Maintaining Your Windows XP System : Checking Your Hard Disk for Errors (part 2) - Checking Free Disk Space, Deleting Unnecessary Files
  •  Maintaining Your Windows XP System : Checking Your Hard Disk for Errors (part 1)
  •  BenQ XL2420T : Best 3D monitor
  •  Falcon Northwest Tiki: Size really doesn't matter
  •  Thermalright Silver Arrow Sb-E
    Top 10
    Canon IXUS 500 HS - Small-But-Mighty Premium Compact
    Olympus SH-21 - Attractive Features For Travelers
    Samsung WB750 - Small Camera, Big Zoom
    Data Deduplication (Part 2)
    Data Deduplication (Part 1)
    AMD FX-8350 - The Piledriver Update (Part 2)
    AMD FX-8350 - The Piledriver Update (Part 1)
    ASUS F2A85-M Pro - Reasonably Priced Motherboard
    CM Storm Scout 2 - Hello Scout 2
    Security Pros Get Caught Out By QR Codes
    Most View
    Monitoring Microsoft Windows Server 2003 : Using the WMI Event Logging Provider
    HP Wireless Multi-function Printer
    5 Tips For Faster Editing
    Snake-Oil Solutions For Electrosmog (Part 2)
    WCF Services : Data Contract - Attributes
    How did Webs put the world on maps? (Part 1)
    Letter Of The Month – November 2012 (Part 1)
    The Best Entry Level Phones – November 2012 (Part 4) - Motorola Motosmart
    Olympus Launches OM-D E-M5
    Create Your Own E-Books (Part 2) - Creation Services
    Troubleshooting Reference: Internet Connection
    Programming Microsoft SQL Server 2005: Overview of SQL CLR - Visual Studio/SQL Server Integration
    Windows Server 2003 : Active Directory Troubleshooting and Maintenance
    ASP.NET State Management Techniques : The Role of the Global.asax File
    Iweb And Its Replacement (Part 1)
    BlackBerry Java Application Development : installing other JDE component packages over-the-air
    Remote Administration of Exchange Server 2010 Servers : Using the ECP Remotely
    Buying Tips : Cooling Bargains (Part 3)
    The Download Directory (Part 3) - A-PDF Split 3.6 & IsMyLcdOK 1.66
    Cloud Application Architectures : Database Management