One of the strong points of what Microsoft has been doing over the years has been to maintain compatibility with software for previous versions of its operating systems. This has worked well for a long time. After all, why would you go through the expense of upgrading all your clients to a new OS if it meant buying completely new software packages. The cost would be to prohibitive. As with all old technology, sometimes the old has to give away completely to the new. Case in point, take a look at what the telegraph did to the Pony Express.
The Web Enrollment on Windows Server 2008 has changed. On a Vista machine, it will look as it always has. On XP, it simply will not work. The Server 2003 enrollment control, XEnroll.dll has been replaced by CertEnroll.dll in Server 2008. The enrollment agent has been moved from the server to the client (Vista). Since XP and 2000 relied on the enrollment agent being available on the server, this legacy Oss are not able to request a certificate. So, how do you install a CA on a Server 2008 based system without completely upgrading all your clients to Vista first? It’s a little combination of the old and the new.
First off, you can use a Vista client to request the certificate for the legacy OS. This is all fine and dandy, but a little cumbersome. The other option is to follow a best practice and have a subordinate CA that is running Server 2003 with Web Enrollment installed. This will allow your legacy Oss to continue functioning happily in a secured environment.
12/08/2008
Correction to paragraph 2
I’ve found some contradictory information. XP/2000/2003 can still use web enroll on a Windows @008 AD CS server. AD CS will detect the legacy operating system and use Xenroll.dll to issue the certificates. One thing to note is that Smart Card enrollment is not support on the legacy applications unless you use one of the other methods mentioned.
Refferenc: http://technet.microsoft.com/en-us/library/cc732517.aspx
The Web Enrollment on Windows Server 2008 has changed. On a Vista machine, it will look as it always has. On XP, it simply will not work. The Server 2003 enrollment control, XEnroll.dll has been replaced by CertEnroll.dll in Server 2008. The enrollment agent has been moved from the server to the client (Vista). Since XP and 2000 relied on the enrollment agent being available on the server, this legacy Oss are not able to request a certificate. So, how do you install a CA on a Server 2008 based system without completely upgrading all your clients to Vista first? It’s a little combination of the old and the new.
First off, you can use a Vista client to request the certificate for the legacy OS. This is all fine and dandy, but a little cumbersome. The other option is to follow a best practice and have a subordinate CA that is running Server 2003 with Web Enrollment installed. This will allow your legacy Oss to continue functioning happily in a secured environment.
12/08/2008
Correction to paragraph 2
I’ve found some contradictory information. XP/2000/2003 can still use web enroll on a Windows @008 AD CS server. AD CS will detect the legacy operating system and use Xenroll.dll to issue the certificates. One thing to note is that Smart Card enrollment is not support on the legacy applications unless you use one of the other methods mentioned.
Refferenc: http://technet.microsoft.com/en-us/library/cc732517.aspx
Comments