This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Is there any guidance in regards to whether a Windows Server 2019 Bastion forest should be issued certificates from the Windows Server 2019 Production forest for a on premise solution? I have searched and cannot find any answers to this question. Any advice would be appreciated.
Hey @RedWhiteBlack ,
The best practice here I believe would be to deploy a separate PKI solution in the Bastion forest. This means the Bastion environment won't be impacted if the PKI in the Corporate forest is compromised.
Hope this helps.
Hi Tom, thank you for your reply. Appreciated.
Hi Daisy,
Thank you. Just some feedback, it would be good if there was a "PKI" tag that could be attached to PKI questions rather than having to tag them as "windows server". When we still had technet social, Brian Komar, Mark Cooper, vadmins and other PKI experts would be very nice and get back to you fairly promptly. Which was always appreciated by the community.
What you have said wouln't maintain logical separation as the bastion PRIV forest needs to provide its own services and not be reliant on the CORP forest. However it would be really appreciated if one of your PKI experts, could clarify this issue definitively.
Kind Regards
Hello @RedWhiteBlack ,
Thank you for your feedback.
There is no PKI tag now, for questions related to PKI, we usually use Windows-server-security tag.
We hope the experts from PKI can provide some useful information for you.
Thank you for your understand and support.
Best Regards,
Daisy Zhou
Hello @RedWhiteBlack ,
Thank you for your update.
Does that logical separation extend to PKI as well? Or can cross forest certificates be used without breaking the bastion model?
For cross forest certificates:
If there is two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
For more information we can refer to link below.
AD CS: Deploying Cross-forest Certificate Enrollment
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10)
If there is no two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
For more information we can refer to link below.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx
Hope the information above is helpful.
Best Regards,
Daisy Zhou
Hello Daisy,
The technical implementation isn't the issue i am aware of those guides but thank you for taking the time to post them. The issue specifically is "Can we use the CORP forest PKI to provide certificates to the PRIV (bastion) forest without breaking the logical separation of the bastion?"
I am struggling to find any written guidance from Microsoft on this specific point, hence posting my question here.
Hello @RedWhiteBlack ,
Thank you for your update.
Would you please tell us the meaning of "the logical separation of the bastion"?
Best Regards,
Daisy Zhou
Hello Daisy,
Look at your documentation: https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment and the section on "Maintain logical seperation".
Hello @RedWhiteBlack ,
Thank you for your update.
I am sorry, I am not the expert about "Microsoft Identity Manager Privileged Access Management for Active Directory Domain Services", and I add the tag "Microsoft Identity Manager" in the post, we hope the expert from Microsoft Identity Manager team can provide some useful information and suggest for you.
Thank you for your understand and support.
Best Regards,
Daisy Zhou
Hi Daisy, i understand, though if there are any PKI tags that can be added to the post that maybe more helpful as a PKI expert maybe able to answer.
Hello @RedWhiteBlack ,
Thank you for your update.
Based on my knowledge, we can use the CORP forest PKI to provide certificates to the PRIV (bastion) forest without breaking the logical separation of the bastion.
And the PKI tag is also kept, we hope the experts from PKI can also provide some useful information and suggest for you.
Thank you for your understand and support.
Best Regards,
Daisy Zhou
Hello @RedWhiteBlack ,
Thank you for posting here.
Based on the description, I understand you have PKI in your Production forest.
1.Would you please describe the meaning of the "Bastion Forest" in your case, so that we can help you better?
2.What is the relationship between Bastion Forest and Production forest?
3.Do they ahve any trust relationship?
Here we can see a bastion environment planing.
Planning a bastion environment
https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello Daisy,
We are following the planning bastion environment guide that you have referenced. To answer your questions;
We have not deployed the environment as yet, as we are in the planning and development stage. However the planning document you listed states that there should be logical separation between CORP and PRIV forest i.e. "The bastion environment must contain its own Active Directory Domain Services, providing Kerberos and LDAP, DNS, time and time services, to the bastion environment."
Does that logical separation extend to PKI as well? Or can cross forest certificates be used without breaking the bastion model?
Hello @Tom Houston ,
Thank you for your suggestion.
Hope more experts from PKI can provide more useful information.
Best Regards,
Daisy Zhou