Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, November 8, 2009 10:14 AM
there are the three custom request attributes found on requests in certificate services CA. They are the CDC, RMD and CCM.
what are their exact meanings? The CDC looks like being the identity validating DC, but the RMD and CCM are equaly set to the the name of a computer from which the request was submitted.
And what is their relevance? Are they granted to be authenticed? So that the certificate manager could rely on them and be sure the authority validates their values by some form of authentication?
thank you
ondrej.
All replies (3)
Tuesday, November 10, 2009 2:14 AM ✅Answered | 1 vote
Hi,
CDC (Client DC name): The client SHOULD use this value to pass an Active Directory server FQDN for the CA to use in case the end entity's information cannot be obtained.
RMD (Request Machine DNS name): The client SHOULD use this value to identify the exact FQDN of the machine object associated with the request.
CDC and RMD are used by the policy module (if it is so configured). If a machine certificate request is submitted, and the AD machine account cannot be found in the AD replica, or if the AD object’s machine DNS name attribute doesn’t match the RMD value, then the policy module will refer to the DCD value, and contact that DC in the hopes of getting more up to date information. In the case of a new machine account or a DNS name change, replication may not have gotten to the AD replica used by the CA, so the client’s DC is the best source of accurate information. This feature significantly reduces the number of failed requests due to incomplete replication.
CCM (Cert Client Machine): set to the DNS name of the machine submitting the request to the CA via ICertRequest::Submit in certcli.dll.
Reference:
3.1.1.5.2.1.1 New Certificate Request Using PKCS #10 Request Format
http://msdn.microsoft.com/en-us/library/cc249729(PROT.10).aspx
Joson Zhou
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]
This posting is provided "AS IS" with no warranties, and confers no rights.
Wednesday, January 9, 2013 9:36 AM
I think these values (RMD and CCM) are relevant to my problem; posted here (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/da890a64-736e-4bae-b9d8-427a5cf3a0ed)
("DNS name does not exist")
I have done some DNS testing with dcdiag etc, but found only irrelevant information.
Since some certificates are still being issued I can not really determine where the problem is.
In a request that failed cdc=dc.domain.com, rmd=<computername>, ccm=<computername>
DNS name of the AD object is computername.domain.com (pre-Windows 2000 is <computername>)
If I look at Failed requests and a request to my computer template - In "Extentions" and Request extentions the field "Subject Alternative name" is not present. On the successfully issued certificates the SAN field is populated with DNS Name as my template is set to. Why does this differ from computer to computer?
It has nothing to do with wich cdc handles the request. All three DC's are involved.
Is the policy module sending the wrong rmd or ccm in the request? Shouldn't it send fqdn with the request?
Is it related to dns suffix on the computers?
What really confuses me is that it is working on some clients ~10%. Leaving the domain and removing the object seems to solve the problem, but this isn't something I am willing to do with ~500 client computers. :(
Thursday, December 26, 2013 6:45 PM
still looking for an answer to this issue, as I also seem to have something similar going on...
Thanks!