Deploying Certificates via ‘Auto Enrollment’

KB ID 0000919

Problem

SHA CERTIFICATE WARNING: Note This article was written some time ago, ensure your CA environment does NOT use SHA1 for your certificates, if it does, Please visit the following link for migration instructions;

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

I need to setup wireless authentication based on computer certificates, I’ve done similar jobs before by manually issuing certificates for Cisco AnyConnect, but this will be for NAP/RADIUS authentication to MSM. I’ll be working with Server 2008 R2 and Windows 7 clients. So task one was getting my head round ‘auto enrollment’. As stated I’m deploying Computer certificates but the process is practically the same for issuing User certificates (I’ll point out the differences where applicable).

Solution

Prerequisites: A Windows domain environment, with working DNS.

Setup a Certification Authority

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Active Directory Certificate Services > Next > I’m going to accept all the defaults.

2. The only thing I’m going to change is the lifetime, I usually change that from 5 to 10 years (force of habit, after 5 years it will probably still be my problem, in 10 years it will be replaced, or in a skip!)

Create a Computer Certificate Template and Issue it.

3. Start > Administrative Tools > Certification Authority > Certificate Templates > Manage.

4. Locate and make a copy of the Workstation Authentication template. If you were using User certificates the you would copy the User template.

Note: I got an email a few months ago form someone who had an argument about whether to make copies or edit the originals, and was asking what I thought was best practice. Well I would ALWAYS copy a template and edit that copy. Then if you ‘stuff it up’ you still have the original. It’s always best practice to avoid looking like a cretin!

5. If you still have Server 2003 servers choose the default, if not pick 2008 > OK.

6. General Tab > Give the template a sensible name.

7. Subject Name Tab: Tick User principle name (UPN).

8. Security Tab: Ensure Domain Computers have the rights to Read and Autoenroll > OK > Close the template console.

9. Certificate templates > New > Certificate Template to Issue.

10. Pick the one you just created > OK.

11. Make sure it’s listed > Close the Certificate Authority management console.

Deploy Auto-enrolled Certificates via Group Policy

Note: You could just add this to the to the default domain group policy, and all computers would get a certificate, but for this exercise I’ve created an OU, and I’m going to create a new policy and link it there.

12. Select an OU or container that contains the computer objects you want to send certificates to.

Note: Obviously if you are sending out User certificates then link it to a user OU, (you would be surprised!)

13. Navigate to;

[box]

Computer Certificate Auto-Enrollment

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

User Certificate Auto-Enrollment

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

WARNING: If deploying user certificates read this article.

14. Enable the policy > Select the two options available > Apply > OK > Close the GPO management editor.

Test Windows Certificate Auto-Enrollment

15. Before we do anything else, you can see there are no certificates on the Windows 7 client machine, and there are no certificates ‘issued’ from the server.

Note: To see a computers certificates, you need to be logged in with administrative rights, run mmc and add in the certificates snap-in for ‘local computer’.

16. Now if I move this machine into the OU that I’ve linked the GPO to.

17. And then force that client to refresh its group policies, (or reboot it).

18. Now when you check, you can see it has received a certificate, and the server is now showing one certificate issued.

Now I’ve got to work out NAP and RADIUS and force them to use the certificates, but I’ve got a headache and I need a brew, watch this space….

Related Articles, References, Credits, or External Links

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 1 (How to Configure Microsoft Certificate Services for AnyConnect)

KB ID 0001030 

Problem

I’ve done a lot of AnyConnect deployments, and I’ve even done them with certificates in the past. I’ve seen plenty of articles and blogs that say ‘It would be better to use a PKI deployment like Microsoft Certificate Services’, but there’s very little info out there on how to set it up.

I have a client that was going to deploy Microsoft Direct Access, but due to unforeseen circumstances has changed their requirements and wants to use AnyConnect instead, (with the following requirements).

  • The connection should be ‘always on’ for their remote clients.
  • It should use certificate based authentication that would use their existing PKI deployment.
  • They should be able to control the remote clients from their corporate location (if required).
  • They should be able to roll out the software using Microsoft SCCM.

So I disappeared with an ESXi server, a spare firewall, and a large mug of coffee.

Solution

I am going to send out both user and computer certificates, and I’m going to get the machines to ‘Autoenroll’ for the certificates with group policy. (You could just use ‘User’ certificates, but that would be too easy).

1. Remember certificates are time specific, make sure your Windows domain is keeping good time, I’ve written about this before, but to cut a long story short carry out the following on your PDC emulator at an elevated command prompt.

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync

[/box]

2. I’m assuming you have certificate services setup and have certificates setup for computers and users, if not see Installing Microsoft Certificate Services. Ensure you have templates published and they are configured correctly, like so;

User Certificate Template

Computer Certificate Template

3. Publish the Certificates.

4. Set up a Group Policy for Certificate Auto-enrolment.

5. For User certificate auto-enrollment go to:

[box]

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

6. For Computer certificate auto-enrollment go to:

[box]

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

7. Ensure your target machines have their certificates,(user and computer).

***OPTIONAL STEP***

I’m using NDES to put the certificates on my Cisco ASA, and I want to use that same certificate on the ‘outside’ interface of my ASA. Now I could just manually get
a cert by creating a CSR and giving that to my certificate authority. Then use the ‘Web Server’ template and everything would be peachy. However I want NDES to do ‘EVERYTHING’ for me so I need to make a change to the certificate that NDES uses, (by default ‘IPSEC (Offline request)’). I need to add in the ‘Server Authentication’ Key usage, or when I enable the cert on the outside interface I will get an error. To that end, I need to create a new certificate template, and then get NDES to use that template instead.

1. Open the Certification Authority management console > Right click Certificate Templates > Manage.

2. Locate ‘IPSEC (Offline request)’ template and clone it.

3. Give the cert a name (in the ‘template name’ section leave no spaces or special characters). Then copy the template name to notepad, (you’ll find out why in a minute).

4. Extensions Tab > Application Policies > Edit.

5. Add > Locate and add ‘Server Authentication’ > OK > OK.

6. If you had NDES set up correctly your NDES service account should have enroll rights to this template already, but check to be on the safe side.

7. Save and publish the new template.

8. Remove the original IPSEC (Offline request) template.

9. To get NDES to use the new template you need to edit three registry values. Open ‘regedit’ an navigate to;

[box]HKLM > Software > Microsoft > Cryptography > MSCEP[/box]

Change the following keys to the new template name;

  • EncryptionTemplate
  • GeneralPurposeTemplate
  • SignatureTemplate

10. At this point you need to restart IIS, though in my case I just rebooted the server.

 

Related Articles, References, Credits, or External Links

In Part 2 – We will configure the ASA and AnyConnect.