Latest Post

Duplicate-Configure the User certificate template permissions to enable AD CS PKI auto enrollment

With the episode: "Request and install a basic encryption file system certificate by using the Web enrollment", we do see the benefit of EFS in protecting data from breaching, destruction, etc., which require an unforgeable method in obtaining certificates as well as Windows AD CS PKI.
Moreover, the cost to implement PKI infrastructure in the AD DS network is gradually lower and lower, in technical requirements, hardware, human, etc.
[00:09] "Configuring EFS with ADCS Server 2008" – journeyofthegeek.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/conf-efs-adcs-ws2008

For example, a website with HTTPS SSL may be complained with a low response and long loading time, etc due to the cost of encrypting/decrypt operations.
Nowadays, this problem/characteristic of PKI was yesterday; that’s because of not only servers hardware/user machines/browsers but also PKI software implementations are evolving more than ever: better algorithms, modern architecture, etc.

During your daily HTTPS SSL web surfing, you may see insecure content warning from your browsers, that informs at least one element of the web page is loaded through the trivial HTTP channel, and possibly, it can be leveraged as a cyber attack vector.
So, every component in a secure model must be protected, that is the spirit of PKI AD CS.
[00:31] "Deploying Certificates via ‘Auto Enrollment’ | PeteNetLive" – petenetlive.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/deploy-cert-auto-enroll

Furthermore, there are no reasons to not take advantages of AD CS automation, firstly, auto enrollment in certificates to harden the consistency of our PKI infrastructure’s core entity which is the vital insurance of Windows Server services.
That’s because we have the naming template, queried info from AD DS, further criteria (security, conditions) mechanisms from Microsoft Windows Server.

Basically, this auto-enrollment process is usually associated with further advanced features of Windows Server like EFS and NAP/RADIUS, etc. through Group Policy enforcements.
But there are other features don’t take certificate as a mandatory requirement: web servicing, FTP, etc.; but it’s best to have a consistency method in delivering the certificate so that further expansions in the scale of our secure network aren’t a problem.
[00:45] http://bit.ly/snoopy-youtube
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD

Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.
To automatically enroll clients for certificates in a domain environment, you must:
– Configure a certificate template with Autoenroll permissions.
– Configure an autoenrollment policy for the domain.
The scenario is: we will issue certificates to domain users automatically so that they can: Encrypting File System, Secure Email, Client Authentication; so the basic template User is enough.

Let’s duplicate the User template Windows Server 2008 Enterprise rather than edit the existing one so that you still have a bare material for further deployments with the certificate template.

[01:33] Give it a meaningful Template display name for indentifying later.
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD

Build from this Active Directory information
Select this option to enforce consistency among subject names and to
simplify certificate administration.
Subject name format: Fully distinguished name
Include e-mail name in subject name
Include this information in the alternate subject name:
– E-mail name
– DNS name
– User principal name (UPN)
– Service principal name (SPN)

This information of the requested certificate don’t rely on the user’s supplements, the CA does queries with the domain Active Directory server internally; therefore, this info remain truthful, disinformation problems can be eliminated.
[02:00] "Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’" – petenetlive.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/cert-srv-err-email-unavai-cant

We are defining who will able to apply auto enroll policy.
In the production environment, you must deploy to particular security principals: OUs, groups, etc.
In this demo, we will apply to all users in the domain: Authenticated Users, Domain Users.
[02:23] "Add a Certificate Template to a Certification Authority" – technet.microsoft.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/add-ct-ca-TN

[02:38] "Issuing Certificates Based on Certificate Templates" – technet.microsoft.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/issue-cert-cd-TN

Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.

Select one Certificate Template to enable on this Certification Authority.
Note: If a certificate template that was recently created does not appear on this list, you may need to wait until
information about this template has been replicated to all domain controllers.
All the certificate templates in the organization may not be available to your CA.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.
Open up Group Policy Management from Administrative Tools to set autoenroll of this certificate up.
In this lab, we will create a separate GPO by click Create a GPO in this domain, and Link it here… to create a new auto enroll policy.

[04:26] "Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment’" – tech-coffee.net
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/pki-enroll-auto

Edit this policy through Group Policy Management Editor (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

+ Renew expired certificates, update pending certificates, and remove revoked certificates enables autoenrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user’s certificate store.
If you are enabling certificate autoenrollment, you can select the following check boxes:

+ Update certificates that use certificate templates enables autoenrollment for the issuance of certificates that supersede issued certificates.
[05:26] http://bit.ly/snoopy-youtube
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD

[05:36] "Configure Certificate Autoenrollment" – technet.microsoft.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/conf-cert-autoenroll-TN

[05:42] "Windows 2008 PKI / Certificate Authority (AD CS) basics’" – corelan.be
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/WS2008-PKI-CA-basic

You may wonder that after only a few steps: the cert duplication, permissions were configured, the Group Policy deployment and update gpupdate /force; the cert now isn’t distributed as expected?
[05:55] "Active Directory Domain Controllers and certificate auto-enrollment’" – morgansimonsen.com
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD
http://bit.ly/ADDC-cert-auto-enroll

Request Certificates
You can request the following types of certificates. Select the certificates you want to request, and then click Enroll.
Select the Show all templates option to see at least, the CT is available but its STATUS: Unavailable.
Fortunately, in this case, we got it!

Check out my part 2 video about this Auto-Enroll: "Troubleshooting after the User certificate template duplication, permissions, and Group Policy configurations".
Have some knowledge about deployment error symptoms: CT publishing, GP scope, security principals, etc. , as well as the fundamental of PKI/Certificate Auto-Enrollment, can shape your administrative skills!

[06:49] http://bit.ly/snoopy-youtube
Duplicate Configure the User certificate template permissions to enable AD CS PKI auto enrollment | IIAMWAD

AWESOME Medleys of SnoOpy: