With the episode: "Request and install a basic encryption file system certificate by using the Web enrollment", we do see the benefit of EFS in protecting data from breaching, destruction, etc., which require an unforgeable method in obtaining certificates as well as Windows AD CS PKI.
Moreover, the cost to implement PKI infrastructure in the AD DS network is gradually lower and lower, in technical requirements, hardware, human, etc.
[00:09] "Configuring EFS with ADCS Server 2008" – journeyofthegeek.com
For example, a website with HTTPS SSL may be complained with a low response and long loading time, etc due to the cost of encrypting/decrypt operations.
Nowadays, this problem/characteristic of PKI was yesterday; that’s because of not only servers hardware/user machines/browsers but also PKI software implementations are evolving more than ever: better algorithms, modern architecture, etc.
During your daily HTTPS SSL web surfing, you may see insecure content warning from your browsers, that informs at least one element of the web page is loaded through the trivial HTTP channel, and possibly, it can be leveraged as a cyber attack vector.
So, every component in a secure model must be protected, that is the spirit of PKI AD CS.
[00:31] "Deploying Certificates via ‘Auto Enrollment’ | PeteNetLive" – petenetlive.com
Furthermore, there are no reasons to not take advantages of AD CS automation, firstly, auto enrollment in certificates to harden the consistency of our PKI infrastructure’s core entity which is the vital insurance of Windows Server services.
That’s because we have the naming template, queried info from AD DS, further criteria (security, conditions) mechanisms from Microsoft Windows Server.
Basically, this auto-enrollment process is usually associated with further advanced features of Windows Server like EFS and NAP/RADIUS, etc. through Group Policy enforcements.
But there are other features don’t take certificate as a mandatory requirement: web servicing, FTP, etc.; but it’s best to have a consistency method in delivering the certificate so that further expansions in the scale of our secure network aren’t a problem.
Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.
To automatically enroll clients for certificates in a domain environment, you must:
– Configure a certificate template with Autoenroll permissions.
– Configure an autoenrollment policy for the domain.
The scenario is: we will issue certificates to domain users automatically so that they can: Encrypting File System, Secure Email, Client Authentication; so the basic template User is enough.
Let’s duplicate the User template Windows Server 2008 Enterprise rather than edit the existing one so that you still have a bare material for further deployments with the certificate template.
Build from this Active Directory information
Select this option to enforce consistency among subject names and to
simplify certificate administration.
Subject name format: Fully distinguished name
Include e-mail name in subject name
Include this information in the alternate subject name:
– E-mail name
– DNS name
– User principal name (UPN)
– Service principal name (SPN)
This information of the requested certificate don’t rely on the user’s supplements, the CA does queries with the domain Active Directory server internally; therefore, this info remain truthful, disinformation problems can be eliminated.
[02:00] "Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’" – petenetlive.com
We are defining who will able to apply auto enroll policy.
In the production environment, you must deploy to particular security principals: OUs, groups, etc.
In this demo, we will apply to all users in the domain: Authenticated Users, Domain Users.
[02:23] "Add a Certificate Template to a Certification Authority" – technet.microsoft.com
[02:38] "Issuing Certificates Based on Certificate Templates" – technet.microsoft.com
Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.
Select one Certificate Template to enable on this Certification Authority.
Note: If a certificate template that was recently created does not appear on this list, you may need to wait until
information about this template has been replicated to all domain controllers.
All the certificate templates in the organization may not be available to your CA.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.
On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.
Open up Group Policy Management from Administrative Tools to set autoenroll of this certificate up.
In this lab, we will create a separate GPO by click Create a GPO in this domain, and Link it here… to create a new auto enroll policy.
[04:26] "Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment’" – tech-coffee.net
Edit this policy through Group Policy Management Editor (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
+ Renew expired certificates, update pending certificates, and remove revoked certificates enables autoenrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user’s certificate store.
If you are enabling certificate autoenrollment, you can select the following check boxes:
+ Update certificates that use certificate templates enables autoenrollment for the issuance of certificates that supersede issued certificates.
[05:36] "Configure Certificate Autoenrollment" – technet.microsoft.com
[05:42] "Windows 2008 PKI / Certificate Authority (AD CS) basics’" – corelan.be
You may wonder that after only a few steps: the cert duplication, permissions were configured, the Group Policy deployment and update gpupdate /force; the cert now isn’t distributed as expected?
[05:55] "Active Directory Domain Controllers and certificate auto-enrollment’" – morgansimonsen.com
You can request the following types of certificates. Select the certificates you want to request, and then click Enroll.
Select the Show all templates option to see at least, the CT is available but its STATUS: Unavailable.
Fortunately, in this case, we got it!
Check out my part 2 video about this Auto-Enroll: "Troubleshooting after the User certificate template duplication, permissions, and Group Policy configurations".
Have some knowledge about deployment error symptoms: CT publishing, GP scope, security principals, etc. , as well as the fundamental of PKI/Certificate Auto-Enrollment, can shape your administrative skills!
- ad cs automation | ad ds | ad ds network | auto enrollment | certificate | certificate administration | certificate template | certificate templates | client authentication | content warning | core entity | cyber attack vector | dns name | domain | domain controllers | domain environment | domain users | microsoft windows server | network aren | pki infrastructure | pki software implementations | security principals | web enrollment | web page | web servicing | Windows Server | windows server services
- December 18, 2016Duplicate-Configure the User certificate template permissions to enable AD CS PKI auto enrollment(0) Comments
- October 10, 2016Set permissions Domain Computers Web Server certificate template IIS Enrollment Sub Enterprise CA(0) Comments
- October 10, 2016Implement HTTPS SSL Web Enrollment IIS Sub Enterprise CA Windows Server 2008 R2(0) Comments
- September 11, 2016Automating Active Directory user account creations with csvde - ldifde(0) Comments
- September 10, 2016Installing and Removing Active Directory Domain Services AD DS(0) Comments
- September 10, 2016Removing Active Directory Domain Services and DC Demotion(0) Comments
- September 10, 2016PotPlayer dual subtitle film watching Multimedia Player 64 HW 3D OpenCodec(0) Comments
- September 10, 2016ProfitServer - Ready cheap virtual servers VPS in 10 minutes - Part 1 the Intro(0) Comments
- September 10, 2016ProfitServer - Ready cheap virtual servers VPS in 10 minutes - Part 2 the Payment(0) Comments
- September 7, 2016ProfitServer - Ready cheap virtual servers VPS in 10 minutes - Part 3 the Activation(0) Comments