[cifs-protocol] [EXTERNAL] Archival of [MS-CAESO], despite still being used

Mon Jun 20 17:49:22 UTC 2022

Hi David,

Thanks for your patience on this question. The information from [MS-CAESO] regarding certificate autoenrollment was indeed boiled down to fundamentals in [MS-CERSOD] since it is a client process. Any communications that occur should be covered in other documents ([WCCE, ADTS, CRTD, etc.). 

I found Technet documentation on the AEPolicy Registry Edit that you were concerned about and pasted it below. 
https://qa.social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx?PageIndex=1

If there is a specific section or subsection in [MS-CAESO] describing a communication that you are unable to find in the other documents, I'd be happy to investigate it.

Thanks,
Kristian 

Kristian Smith
Support Escalation Engineer
Windows Open Spec Protocols
Office: (425) 421-4442
kristian.smith at microsoft.com 

-----Original Message-----
From: David Mulder <dmulder at samba.org> 
Sent: Wednesday, June 1, 2022 11:08 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Archival of [MS-CAESO], despite still being used

[Some people who received this message don't often get email from dmulder at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

The [MS-CAESO] document has been archived, despite being heavily relied on by my multiple vendors (Vintela/OneIdentity, Centrify, BeyondTrust, Samba, to name a few). Even Windows clients still appear to use the process described in [MS-CAESO].
The only explanation given for it's archival is that the [MS-CERSOD] overview document replaces [MS-CAESO] (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F3bf244db-5194-400f-9f0d-da0c769011ef%2Fmscaeso-missing%3Fforum%3Dos_windowsprotocols&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cac12c87c09ab42c6376308da43f9b229%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897036979293371%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=rLqieYnB%2FLdBK%2BQLZKXLRemqeTcMWXM0DbqvaPtne0c%3D&reserved=0),
but [MS-CERSOD] isn't sufficiently detailed to implement autoenrollment.
You replaced an entire detailed document with a pretty picture and a couple paragraphs:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-cersod%2Fdd492d51-9c18-4d52-a8db-e9cfe35a80b2&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cac12c87c09ab42c6376308da43f9b229%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897036979293371%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ZiTiUP51vsS4C2%2F6FYYbt0DtgRsI3Z87XmAuZiVNnYY%3D&reserved=0
[MS-CERSOD] doesn't even mention the GPO AEPolicy setting, or how to parse endpoints from LDAP and from GPO PolicyServers.

Please either return [MS-CAESO] from archive, or provide an actual replacement that isn't missing all details.

--
*David Mulder*
Labs Software Engineer, Samba
SUSE
1221 Valley Grove Way
Pleasant Grove, UT 84062

dmulder at suse.com
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.suse.com%2F&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cac12c87c09ab42c6376308da43f9b229%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637897036979293371%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=5EpU6JlFC4OYeFPmrbduEPrJ2%2FkwXnFHo63IUiQ7IGU%3D&reserved=0