Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, May 23, 2011 2:43 PM
What are the main reasons to having a Three Tier architecture? What would be the design question that I would need to ask myself in order to make a decision on 2 verse 3 tiers?
Thanks,
Paul
All replies (6)
Monday, June 6, 2011 9:17 AM ✅Answered
On Mon, 6 Jun 2011 05:10:49 +0000, krymer wrote:
Three Tier Architecture offers highest security when compared to Two Tier Architecture
Contrary to what some Microsoft documentation asserts, this simply isn't
the case.
The only time one really needs a 3 tier infrastructure is when for whatever
reason, one needs to assert two or more radically different sets of policy.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Maybe Computer Science should be in the College of Theology. -- R. S.
Barton
Monday, June 6, 2011 5:10 AM
Three Tier Architecture offers highest security when compared to Two Tier Architecture
Monday, June 6, 2011 7:36 PM
Paul is quite correct, I'd advise you work on the premise of a two-tier PKI unless you have a very clear requirement that dictates you deploy three tiers.
Furthermore, some of the Microsoft documentation has been updated to reflect the more pragmatic approach.
“Designing a three-tier hierarchy with intermediate CAs increases the complexity of the environment. Requirements to implement different policies can be implemented in a two-tier hierarchy with additional Issuing CAs. The Windows Server product group states that there are no scale limitations that require a middle tier, so avoid using intermediate CAs unless there is a compelling business reason for doing so.”
Scraped from the ADCS Infrastructure Planning and Design Guide at: http://technet.microsoft.com/en-us/library/ff630887.aspx
Dave
Tuesday, June 7, 2011 2:57 AM
I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure.Thanks.
Tuesday, June 7, 2011 8:48 AM | 1 vote
On Tue, 7 Jun 2011 02:57:35 +0000, krymer wrote:
I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure.
Properly implemented, there is nothing to fix when a two tier PKI is
implemented. Your statement about a three tier being inherently more secure
than a two tier is simply factually incorrect.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Those who can't write, write help files.
Tuesday, January 22, 2013 12:43 PM
One of the reasons is to have the root off line, another involves the different kinds of certificates that you might use in an enterprise (e.g. identity, signing, device, encryption) and another is the policy of relying parties and other requirements for federation. Start with the requirements and the impact on or the existing policies. As pointed out below a policy requirement and different object identifiers (if anyone really uses them) can drive this.