Enabling ActiveX Controls
The Certificate Services Web Enrollment site must be defined as a Local intranet site for all computers in the forest. This allows the automatic passing of authentication credentials to the CA by using Windows Integrated authentication. In addition, the download settings for ActiveX controls must be modified to allow the activation and use of required ActiveX controls.
Note For smart card deployment, the ActiveX control settings are only required at the smart card enrollment station. But, if you plan to use the Certificate Services Web Enrollment pages for other certificate distribution, it is recommended that you define the Certificate Services Web Enrollment site as a Local Intranet site at all computers in the forest.
The following process defines the Local intranet Web sites:
1. Log on to a Windows XP or Windows 2000 computer as a user who can define Group Policy settings.
2. Open Internet Explorer.
3. From the Tools menu, click Internet Options.
4. Click the Security tab.
5. Click Local Intranet and click Sites.
6. In the Local Intranet dialog box, click Advanced.
7. In the Local Intranet dialog box, add the following Web sites for each network:
■ http://*.company.com (where company.com is the DNS namespace used within your organization).
■ https://*.company.com (where company.com is the DNS namespace used within your organization).
8. In the Local Intranet dialog box, click OK.
9. In the Local Intranet dialog box, click OK.
10. In the Internet Options dialog box, ensure that Local Intranet is selected and click Custom Level.
11. In the Security Settings dialog box, adjust the following settings (leave all other options at their current settings):
■ Download signed ActiveX controls: Enable
■ Download unsigned ActiveX controls: Disabled
■ Initialize and script ActiveX controls not marked as safe: Prompt
■ Run ActiveX controls and plug-ins: Enable
■ Script ActiveX controls marked safe for scripting: Enable
12. In the Security Settings dialog box, click OK.
13. In the Warning! dialog box, click Yes to change the security settings for the zone.
14. In the Internet Options dialog box, click OK.
Once the correct settings are defined for the Local intranet security zone, you must create a Group Policy Object (GPO) for the application of the Local intranet security zone settings. The following procedure details this process:
1. Open an MMC console.
2. From the Console menu, click Add/Remove Snap-in (use the File menu if using Windows XP).
3. In the Add/Remove Snap-in dialog box, click Add.
4. In the Add Standalone Snap-in dialog box, select Group Policy and click Add.
5. In the Group Policy Wizard, click Browse.
6. In the Browse for a Group Policy Object dialog box, ensure that the Look In drop-down list is focused on the desired domain, right-click the Domains, OUs, and linked Group Policy Objects list, and then click New.
7. Name the new GPO Local Intranet Web Sites.
8. Select Local Intranet Web Sites and click OK.
9. Click Finish.
10. Click Close.
Once the GPO is created, you must import the locally defined settings for the Local intranet zone using the following procedure:
1. In the console tree, expand Local Intranet Web Sites, expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and click Security.
2. In the details pane, double-click Security Zones and Content Ratings.
3. In the Security Zones and Content Ratings dialog box, click Import the Current Security Zones and Privacy Settings, and click Modify Settings.
4. Click Local Intranet and click Sites.
5. In the Local Intranet dialog box, click Advanced.
6. Ensure that the http://*.company.com and https://*.company.com Web sites are listed, and click Close.
10. Close the MMC console without saving changes.
The Local Intranet Sites GPO must be linked to each domain in your organization's forest or to an organizational unit (OU) containing the user accounts so that it affects all users in the domain.
Post a comment