溫故知新
過程無特別要多講因為非常順利,但係如同上年一樣,CBA先係最大難關。係再Review Article嘅途中,就睇到最進口嘅一環。就係Certificate嘅Subject係要有User嘅Email,或者Certificate嘅SAN Name有User UPN。
唔跟呢Part就會出IIS Error 403.7
Prerequisites:
You need access to a CA for client certificates. This can be a public CA solution, individual certificates from a vendor, or an Active Directory Certificate Services solution. Regardless, the following requirements must be met:
- The user certificate must be issued for client authentication. The default User template from an AD CS server will work in this scenario.
- The User Principal Name (UPN) for each user account must match the Subject Name field in the user’s certificate.
- All servers must trust the entire CA trust chain. This chain includes the root CA certificate and any intermediate CA certificates. These certificates should be installed on all servers that may require them, to include (but not limited to) ISA/TMG/UAG server(s) and the Client Access Server (CAS).
- The root CA certificate must be in the Trusted Root Certification Authorities store, and any intermediate CA certificates in the intermediate store on all of these systems. The root CA certificate, and intermediate CA certificates must also be installed on the EAS device.
- The user’s certificate must be associated with the user’s account in Active Directory
Reference URL
過程無特別要多講因為非常順利,但係如同上年一樣,CBA先係最大難關。係再Review Article嘅途中,就睇到最進口嘅一環。就係Certificate嘅Subject係要有User嘅Email,或者Certificate嘅SAN Name有User UPN。
唔跟呢Part就會出IIS Error 403.7