2.5.1 Determining Enrollment Permission of an End Entity for a Template

  • Article

The following processing rules are to determine the enrollment for end entities on a certificate template. The protocol behavior for these permissions is specified in [MS-WCCE] section 3.2.2.6.2.1.4.3 Verify End Entity Permissions.

Input Parameters:

Output Parameter: This parameter can be either TRUE or FALSE.

Processing Rules:

An entity (Active Directory user or group) has enrollment permission and output parameter is set to TRUE if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor contains an ACE that satisfies either one of the following sets of characteristics:

It has an object allowed ACE ([MS-DTYP] section 2.4.4.3) that satisfies all the following conditions:

  • The Requester_SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure ([MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_OBJECT_ACE_TYPE (0x05). This implies that it is an ACCESS_ALLOWED_OBJECT_ACE structure ([MS-DTYP] section 2.4.4.3).

  • The Mask field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

  • The ObjectType field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST be identical to the Enroll GUID in the following table.

Or,

It has an allowed ACE that satisfies all the following conditions:

  • The Requester SID input parameter is identical to the SID associated with this ACE.

  • The AceType field of the ACE_HEADER structure ([MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_ACE structure ([MS-DTYP] section 2.4.4.2).

  • The Mask field of the ACCESS_ALLOWED_ACE structure MUST have the bits set as specified by the X in the following diagram.


    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    1
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    2
    0


    1


    2


    3


    4


    5


    6


    7


    8


    9

    3
    0


    1

    X

An entity is denied enrollment permissions if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor has the same ACE as previously described, except that the AceType field is set to ACCESS_DENIED_OBJECT_ACE_TYPE (0x06).