2.5.2 Determining Autoenrollment Permission of an End Entity for a Template

  • Article

The following processing rules are to determine the enrollment for end entities on a certificate template.

Input Parameters:

  • Template_ntSecurityDescriptor: The ntSecurityDescriptor attribute of the input template.

  • Requester_SID: Contains the SID ([MS-DTYP] section 2.4.2) of the end entity.

Output Parameter: This parameter can be either TRUE or FALSE.

Processing Rules:

An entity (Active Directory user or group) has AutoEnroll permission and output parameter is set to TRUE if the DACL of the input parameter Template_ntSecurityDescriptor contains an ACE that satisfies either one of the following sets of characteristics:

It has an object allowed ACE that satisfies all of the following conditions:

  • The Requester_SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure ( [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_OBJECT_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_OBJECT_ACE structure ([MS-DTYP] section 2.4.4.3).

  • The Mask field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

  • The ObjectType field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST be identical to the AutoEnroll GUID in the following table.

Or,

It has an allowed ACE that satisfies all the following conditions:

  • The Requester_SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure ([MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_ACE structure ([MS-DTYP] section 2.4.4.2).

  • The Mask field of the ACCESS_ALLOWED_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

An entity is denied AutoEnroll permissions if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor has the same ACE as previously described except that the AceType field is set to ACCESS_DENIED_OBJECT_ACE_TYPE.

The following table lists the predefined GUIDs for the ObjectType field of these ACCESS_ALLOWED_OBJECT_ACE structures.

Rights and GUID

Permission

CR; 0e10c968-78fb-11d2-90d4-00c04f79dc55

Enroll

CR; a05b8cc2-17bc-4802-a710-e7c15ab866a2

AutoEnroll