Security tip

For security reasons, it is advisable to configure enrollment agent restrictions for a CA to allow only the newly created Enrollment Agent User permissions to enroll certificates on behalf of the users. To do so, follow the steps below.

1. Open the Certification Authority snap-in, right-click the name of the CA, and then click Properties .
2. Click the Enrollment Agents tab, click Restrict enrollment agents , and click OK on the message that appears.
3. Under Enrollment agents , click Add , type the name of the Enrollment agent user created in the previous steps and then click OK . Click Everyone , and then click Remove .
4. Under Certificate Templates , click Add , select the templates that were created (Prls Enrollment Agent and Prls Smartcard Logon) and then click OK . When you have finished adding the names of certificate templates, click <All> , and then click Remove .
5. Under Permissions , click Add , type the names or groups, which are the users or group expected to login to the RAS environment using SAML, and then click OK . Click Everyone , and then click Remove .
6. If you want to block the enrollment agent from managing certificates for other users, computers, or groups, under Permissions , select this user, computer, or group, and then click Deny .
7. When you are finished configuring enrollment agent restrictions, click OK or Apply .

Note: The user or group that you applied enrollment agent restrictions to must have a valid enrollment agent certificate for the CA before they can act as an enrollment agent, whether restricted enrollment agent permissions have or have not been configured.