Here's random stuff related to what I am working on or interested in during my work day or in my personal life. I'm a nerd. The content will be nerdy.
Monday, August 7, 2017
Copying the NTAuth Enterprise store certificates from one Forest to another
The enterprise NTAuth store is a key Active Directory configuration item. It is key to allowing user to login with smartcards. When using PKI cross forest, we usually use the PKISync.ps1 script to lihnk the two forests PKI configurations. This script is designed to allow cross forest certificate enrollment, wich it does well. It does not cover the NTAuth config for smartcards. This seems to get missed a lot. Below is a two liner to copy the NTAuth in one forest to another, assuming the NTAuth object exists and just needs to be populated. $caLIst = (Get-ADObject -SearchBase "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain1,DC=com" -SearchScope Base -Filter * -Properties * -Server domain1.com).cACertificate foreach($ca in $caLIst) {Set-ADObject "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain2,DC=com" -add @{cacertificate=$ca}}
No comments:
Post a Comment