Configuring Autoenrollment to issue certificates to all domain joined systems

A lot of the new technologies requiring certificates to be used for authentication require those certificates to be distributed on a large scale. For example, if we want to use the Computer certificate for DirectAccess authentication, we need to issue a certificate to every DirectAccess client computer. This could be thousands of laptops in your network. If we want to start encrypting traffic inside the network with IPsec and require certificates to be distributed for that purpose, you would potentially need to issue some kind of machine certificate to every computer inside your network. While you could certainly issue each by hand using either the MMC console or the CA web interface, that doesn't sound like very much fun.

Enter Autoenrollment. We can turn on this feature, which is sort of like flipping a switch in Active Directory, and in doing so we can tell AD to issue certificates automatically to the computers, even if we need to get them to every single domain joined the system. Let's work together through this recipe to turn on this option and test it out.

Getting ready

We are working inside a Windows Server 2016 based Active Directory domain. We also have a Server 2016 Enterprise Root CA running in this network. The work that we will be accomplishing is a combination of work on the CA server and work inside Group Policy on a Domain Controller.

How to do it…

To enable Autoenrollment in your domain, take a look at these instructions:

  1. Log into your CA server and open up Certification Authority. Expand the name of your CA, then right-click on Certificate Templates and choose Manage.
  2. Now choose which certificate template that you want to be set up for Autoenrollment. I have a template called DA Cert that I want issued to every computer in my network. Right-click on DA Cert and head into Properties.
  3. Click on the Security tab. Here you need to configure whatever users, computers, or other objects that you want to have Autoenroll permissions to this template. I am going to Allow the Autoenroll permission for all Domain Computers in my network, as shown in the following screenshot:

    How to do it…

  4. Click OK, and now we need to head over to Group Policy. Log into a Domain Controller and open the Group Policy Management Console.
  5. I have created a new GPO for this task called Certificate Autoenrollment Policy. This new GPO is linked to the top of my domain so that it applies to all machines that are joined to the domain. If you didn't need your policy to be so broad, you could of course pare down the access here by limiting the link or filtering associated with your GPO.
  6. Right-click on the Certificate Autoenrollment Policy GPO and choose Edit….

    How to do it…

  7. Navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies.
  8. Double-click on Certificate Services Client - Auto-Enrollment.
  9. Set this to Enabled, and select both of the checkboxes on the screen.

    How to do it…

  10. As soon as you click OK, this new GPO will start taking effect. Machines will check in with Group Policy and realize they need these new settings from the GPO. Upon putting this new option into place, the computers will then check in with the CA server and ask it for a copy of any certificate for which it has autoenroll permissions. Since we configured all Domain Computers to have autoenroll permission to our DA Cert template, our workstations and servers should immediately start receiving a copy of this new certificate. Here is a screenshot from my CA server just a few minutes after configuring this GPO. You can see that it is starting to issue certificates to my domain-joined systems:

    How to do it…

How it works…

We make use of Group Policy in order to flip our autoenrollment on-switch and immediately start the autoenrollment of certificates to our domain-joined systems. There are a couple of different ways that autoenrollment can be regulated. You can decide who gets the autoenrollment policy applied to them through Group Policy links and filtering, meaning that you can define in the GPO properties which users or computers are going to be subject to autoenrollment in the first place. Alternatively, or additionally, you can also specify permissions inside each certificate template on the CA server so that you can better determine which users or computers in your environment will receive copies of each template once autoenrollment is enabled.

Planning is essential to this task. You need to build a clear definition for what certificates you need to publish, and to which devices or people you need that certificate to roll itself out to. Follow the steps incorrectly and it may not work, or worse yet, you may end up with a thousand certificates being issued all over your network that you did not intend to be distributed. Group Policy is extremely powerful, and tapping into that power comes with great responsibility.

After configuring these settings, if you reboot a few domain joined machines in your network, you will notice that when they come back online, there will be a new certificate sitting in the computer's personal certificate store. Sit back and wait a few hours, and they will have rolled around to everybody automatically. If you don't like waiting for Group Policy to refresh, you can open Command Prompt on some of those computers and issue the gpupdate /force command to manually refresh the policies and pull down the certificate.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.165.82