Home

Certificate Authority - Autoenrollment

%3CLINGO-SUB%20id%3D%22lingo-sub-47486%22%20slang%3D%22en-US%22%3ECertificate%20Authority%20-%20Autoenrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-47486%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20looking%20at%20options%20for%20having%20our%20servers%20autoenroll%20for%20certifcates%20using%20the%20computer%20template.%20%26nbsp%3BWe%20have%20a%202-tier%20setup%20with%20an%20offline%20root%20and%20an%20enterprise%20sub%20CA%20joined%20to%20our%20main%20domain.%20%26nbsp%3BI%20am%20able%20to%20get%20autoenrollment%20working%20for%20our%20main%20domain%20joined%20machines%20but%20we%20are%20now%20trying%20to%20get%20our%20other%20non-trusted%20domains%20to%20do%20the%20same.%20%26nbsp%3BI%20have%20the%20%22Certificate%20Enrollment%20Web%20Service%22%20and%20the%20%22Certificate%20Enrollment%20Policy%20Web%20Service%22%20configured%20and%20I%20can%20successfully%20request%20a%20cert%20where%20I%20provide%20the%20subject%20info.%20%26nbsp%3BWhat%20we%20would%20like%20is%20to%20be%20able%20to%20enable%20autoenrollment%20and%20have%20the%20server%20reach%20out%20to%20the%20CA%20and%20grab%20a%20cert%20automatically.%20%26nbsp%3BWe%20have%20been%20able%20to%20successfully%20request%20a%20cert%20from%20the%20computer%20template%20in%20the%20tnon-trusted%20domain%20but%20it%20doesn't%20use%20the%20computer%20name%20and%20instead%20generates%20a%20cert%20using%20the%20name%20of%20the%20service%20account%20I%3C%2FP%3E%3CP%3Ehave%20running%20the%20web%20services.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20even%20possible%20to%20setup%20it%20up%20this%20way%20where%20we%20can%20have%20machines%20in%20the%20non-trusted%20domains%20to%20autoenroll%20using%20the%20computer%20template%2C%20where%20it%20provides%20its%20server%20name%20automatically%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64921%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Authority%20-%20Autoenrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64921%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20can%20be%20achieved.%20But%20as%20Ed%20suggested%20that%20enrolling%20untrusted%20computers%20could%20be%20a%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHence%2C%20what%20you%20would%20need%20to%20do%20is%20issue%20the%20first%20computer%20certificate%20during%20provisioning%20time%20of%20the%20machine%20and%20from%20thereon%20it%20can%20be%20auto-enrolled.%20In%20this%20manner%20you%20know%20the%20device%20is%20trusted%20by%20your%20organization%20and%20certs%20are%20not%20being%20given%20to%20unknown%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20provision%20time%20you%20will%20have%20to%20enroll%20certificates%20using%20Certificate%20enrollment%20Policy%20set%20to%20accept%20user%20authentication%20and%20CES%20too%20with%20user%20authentication.%20From%20thereafter%20the%20certs%20will%20be%20renewed%20from%20CEP%2FCES%20based%20on%20the%20original%20certs%20using%20cert%20based%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20presentation%20can%20help%20you%20to%20understand%20better%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fchannel9.msdn.com%2FEvents%2FTechEd%2FNorthAmerica%2F2011%2FSIM329%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fchannel9.msdn.com%2FEvents%2FTechEd%2FNorthAmerica%2F2011%2FSIM329%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64875%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Authority%20-%20Autoenrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64875%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Keith.%3C%2FP%3E%3CP%3EExcellent%20that%20you%20have%20a%20tiered%20CA%20structure!%3C%2FP%3E%3CP%3ETo%20your%20issue%20with%20enrolling%20untrusted%20computers%2C%20I%20would%20like%20to%20raise%20the%20concern%20that%20autoenrollment's%20security%20in%20part%20depends%20on%20the%20computers%20authenticating%2C%20showing%20the%20CA%20that%20the%20computers%20identity%20has%20been%20verified%20and%20can%20be%20issued%20a%20cert%20because%20it%20is%20a%20known%20device.%3C%2FP%3E%3CP%3EIf%20untrusted%20computers%20were%20automatically%20issues%20certs%2C%20what%20is%20to%20prevent%20a%20bad%20guy's%20computer%20from%20being%20issued%20one%3F%3C%2FP%3E%3CP%3ENot%20knowing%20what%20your%20business%20goals%20are%2C%20what%20should%20possibly%20be%20happening%20is%20that%20the%20computers%20in%20the%20untrusted%20domains%20should%20be%20issued%20certs%20in%20their%20own%20domains%20and%20a%20PKI%20cross%20trust%20be%20implemented.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fwindows%2Fdesktop%2Fbb540800(v%3Dvs.85).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fwindows%2Fdesktop%2Fbb540800(v%3Dvs.85).aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20does%20depend%20on%20the%20goals%2C%20however.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EEd%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Keith Wilmot
Visitor

We are looking at options for having our servers autoenroll for certifcates using the computer template.  We have a 2-tier setup with an offline root and an enterprise sub CA joined to our main domain.  I am able to get autoenrollment working for our main domain joined machines but we are now trying to get our other non-trusted domains to do the same.  I have the "Certificate Enrollment Web Service" and the "Certificate Enrollment Policy Web Service" configured and I can successfully request a cert where I provide the subject info.  What we would like is to be able to enable autoenrollment and have the server reach out to the CA and grab a cert automatically.  We have been able to successfully request a cert from the computer template in the tnon-trusted domain but it doesn't use the computer name and instead generates a cert using the name of the service account I

have running the web services.

 

Is it even possible to setup it up this way where we can have machines in the non-trusted domains to autoenroll using the computer template, where it provides its server name automatically?

2 Replies

Hi Keith.

Excellent that you have a tiered CA structure!

To your issue with enrolling untrusted computers, I would like to raise the concern that autoenrollment's security in part depends on the computers authenticating, showing the CA that the computers identity has been verified and can be issued a cert because it is a known device.

If untrusted computers were automatically issues certs, what is to prevent a bad guy's computer from being issued one?

Not knowing what your business goals are, what should possibly be happening is that the computers in the untrusted domains should be issued certs in their own domains and a PKI cross trust be implemented.

 

https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx

 

It does depend on the goals, however.

 

Thanks

Ed

 

This can be achieved. But as Ed suggested that enrolling untrusted computers could be a problem.

 

Hence, what you would need to do is issue the first computer certificate during provisioning time of the machine and from thereon it can be auto-enrolled. In this manner you know the device is trusted by your organization and certs are not being given to unknown devices.

 

During provision time you will have to enroll certificates using Certificate enrollment Policy set to accept user authentication and CES too with user authentication. From thereafter the certs will be renewed from CEP/CES based on the original certs using cert based authentication.

 

This presentation can help you to understand better

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329

 

Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
202 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies