Certification Authority Authentication-Level Incompatible with Windows XP

Applies: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT (as described in MSDN article Authentication-Level Constants). On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. If you no longer have Windows XP clients on your network that require the ability to enroll for certificates, you can increase security by enabling this setting. To enable the setting, run the following commands:

certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
**net stop certsvc & net start certsvc
**
However, if you do have Windows XP clients that require the ability to enroll for certificates and this setting is enabled on your CA, you can disable the setting by running the following commands

certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc & net start certsvc

Warning If you disable this setting, it is possible for attackers to listen to network traffic and gain information about your internal network structure, including which computers are enrolling for certificates, the certification authority granting those requests, as well as the certificate purposes requested. While this might not pose a security concern on your local area network, be sure to consider the implications of clients enrolling for certificates from external locations, if applicable.

Note This setting is enabled by default in Windows Server "8" Beta, see What's New in AD CS.