A Windows Server 2003-based enterprise CA issues certificates that have incorrect alternate subject names and the certificates are not Network Access Protection (NAP)-compliant

Consider the following scenario:

• A Windows Server 2003-based computer hosts an enterprise certification authority (CA).
• The enterprise CA issues certificates by using a customized certificate template.
• The certificate template is configured to include the user principal name (UPN) or the service principal name (SPN) in the alternate subject name.

In this scenario, all certificates that are issued by using the customized certificate template have incorrect alternate subject names. The alternate subject name is a Domain Name System (DNS) name instead of a UPN or an SPN.

This problem prevents the enterprise CA from issuing Network Access Protection (NAP)-compliant computer certificates.

To resolve this problem, apply hotfix 961515. For more information about hotfix 961515, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix information

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix is replaced by hotfix 961515.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 1, x86-based versions

Windows Server 2003 with Service Pack 2, x86-based versions

Windows Server 2003 with Service Pack 1, Itanium-based versions

Windows Server 2003 with Service Pack 2, Itanium-based versions

Windows Server 2003, x64-based versions

Windows Server 2003 with Service Pack 2, x64-based versions

This hotfix fixes an issue that occurs when the CT_FLAG_SUBJECT_ALT_REQUIRE_UPN flag is set in a computer template. When this flag is set, the policy module puts the DNS name of the computer in the Subject Alt Name (SAN) field. This is not the expected behavior. The following behavior occurs after you install the hotfix:

• The first time, the certification authority (CA) policy module queries the explicit UPN attribute of the computer in Active Directory. If the entry in this attribute is found, this entry will be written in the certificate SAN field.
• If no entry is found in the explicit UPN attribute of the computer, the implicit UPN is created by using the samAccountName Active Directory attribute together with the domain name.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

NAP is a new platform that performs the following jobs:

• NAP performs computer health policy validation.
• NAP guarantees ongoing compliance with health policies.
• NAP optionally restricts the access of computers that do not comply with system health requirements until the health state of these computers can be corrected.

For more information about NAP, visit the following Microsoft TechNet Web site: For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: