3.2.2.1.1.1 Search Requests

The CA SHOULD perform search requests demonstrated in the following figure.

Retrieving ADConnection handle for reading objects under certificate templates and enrollment services containers

Figure 3: Retrieving ADConnection handle for reading objects under certificate templates and enrollment services containers

The preceding figure describes the algorithm used for retrieving an ADConnection handle for reading objects under certificate templates and enrollment services containers.

The following steps describe the flow of the preceding figure:

  1. If the CertificateTemplatesAndEnrollmentServices_AD_Connection ADM element is NULL:

    1. Invoke the "Initialize ADConnection" task ([MS-ADTS] section 7.6.1.1) to construct an ADConnection with the following parameters:

      • TaskInputTargetName: NULL

      • TaskInputPortNumber: If the value of the Config_CA_LDAP_Flags datum has 0x0000001 (LDAPF_SSLENABLE) bit set, use port 636. Otherwise, use port 389.

        Store the returned ADConnection handle in the ActiveDirectory_Connection variable.

    2. Perform a bind request as specified in section 3.2.2.1.1.2. Store the returned ADConnection handle in the CertificateTemplatesAndEnrollmentServices_AD_Connection ADM element.

  2. Obtain the distinguished name for the Certificate Templates Container (section 2.2.2.11.1) or Enrollment Services Container (section 2.2.2.11.2) as specified in the following steps:

    1. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

      • TaskInputADConnection: CertificateTemplatesAndEnrollmentServices_AD_Connection

      • TaskInputRequestMessage: LDAP SearchRequest message (see [RFC2251] section 4.5.1) as follows:

        • baseObject: distinguished name of the rootDSE object, as specified in [MS-ADTS] section 3.1.1.3.2.1

        • scope: baseObject

        • filter: (objectCategory=*)

        • attributes: The CA SHOULD use the following attributes:

          • configurationNamingContext

          • defaultNamingContext

        • sizeLimit: 10000

        • timeLimit: 120

        • derefAliases: neverDerefAliases

        • typesOnly: FALSE

      • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.

    2. If the TaskReturnStatus returned in the previous step is not 0, go to step 4.

    3. If InputContainer is equal to Certificate Templates Container, set ContainerDistinguishedName equal to the concatenation of "CN=Certificate Templates,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from step 2.1.

      If InputContainer is equal to Enrollment Services Container, set ContainerDistinguishedName equal to the concatenation of "CN=Enrollment Services,CN=Public Key Services,CN=Services, CN=Configuration" path and the value for configurationNamingContext attribute from step 2.1.

  3. Read all objects under the Certificate Templates Container or Enrollment Services Container as follows: Repeat step 2.1 with the following modifications:

    • baseObject: ContainerDistinguishedName

    • scope: wholeSubtree

    • filter: The CA SHOULD use the following filters:

      • If InputContainer is equal to Certificate Templates Container: (objectCategory=pKICertificateTemplate).

      • If InputContainer is equal to Enrollment Services Container: (&(objectCategory=pKIEnrollmentServce)(cn=SomeCA)), where SomeCA is a sanitized name, as specified in section 3.1.1.4.1.1, of the CA.

    • attributes: The CA SHOULD use the following attributes:

      • If InputContainer is equal to Certificate Templates Container:

        • cn

        • flags

        • ntSecurityDescriptor

        • revision

        • pKICriticalExtensions

        • pKIDefaultCSPs

        • pKIDefaultKeySpec

        • pKIEnrollmentAccess

        • pKIExpirationPeriod

        • pKIExtendedKeyUsage

        • pKIKeyUsage

        • pKIMaxIssuingDepth

        • pKIOverlapPeriod

        • msPKI-Template-Schema-Version

        • msPKI-Template-Minor-Revision

        • msPKI-RA-Signature

        • msPKI-Minimal-Key-Size

        • msPKI-Cert-Template-OID

        • msPKI-Supersede-Templates

        • msPKI-RA-Policies

        • msPKI-RA-Application-Policies

        • msPKI-Certificate-Policy

        • msPKI-Certificate-Application-Policy

        • msPKI-Enrollment-Flag

        • msPKI-Private-Key-Flag

        • msPKI-Certificate-Name-Flag

      • If InputContainer is equal to Enrollment Services Container:

        • certificateTemplates

        • cn

        • displayName

        • dNSHostName

    • controls: Sequence of two Control structures, as follows:

      • Control

        • controlType: LDAP_SERVER_SD_FLAGS_OID_W (see [MS-ADTS] section 3.1.1.3.4.1.11)

        • criticality: TRUE

        • controlValue:

          Flags: DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION

      • Control

        • controlType: LDAP_SERVER_PERMISSIVE_MODIFY_OID_W (see [MS-ADTS] section 3.1.1.3.4.1.8)

        • criticality: FALSE

    • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search. Set CertificateTemplatesandEnrollmentServicesObjects equal to TaskOutputResultMessage

  4. If the TaskReturnStatus returned in step 2 is not 0, then,

    1. Invoke the "Perform an LDAP Unbind on an ADConnection" task (see [MS-ADTS] section 7.6.1.5) with the TaskInputADConnection parameter set to CertificateTemplatesAndEnrollmentServices_AD_Connection.

    2. Repeat step 1.1

    3. Perform steps 1 and 2 in section 3.2.2.1.1.2 with the exception that in step 1, use the following parameters:

      • TaskInputOptionName: LDAP_OPT_GETDSNAME_FLAGS

      • TaskInputOptionValue: Bitwise OR of the bits A, D, and R, as defined in [MS-NRPC] section 3.5.4.3.1.

        If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: TaskOutputResultMessages

        Return the OutputHRESULT output parameter to the client and exit.

    4. Repeat step 3. If the TaskReturnStatus returned is not 0, convert it to a 4-byte HRESULT value (errors are specified in [MS-ERREF] section 2.1) by performing the processing rules in section 3.2.2.1.7 with the following input parameters:

      • InputReturnStatus: TaskReturnStatus

      • InputResultMessage: TaskOutputResultMessages

        Return the OutputHRESULT output parameter to the client and exit.