I am going to go over auto-enrollment in Microsoft Active Directory Certificate Services (ADCS)
Certificate Enrollment Methods in general
For a client to enroll for certificates, several ways exist in Windows Server
- Web Enrollment (the default URL is http://CAName/certsrv) where CAName is the name of the Issuing Certificate Authority.
- Enrollment through the Automatically Enroll and Retrieve Certificates from the certmgr.msc console
- CNG Application Programming Interface (API) in Windows Server 2008 and windows Server 2008 R2, and CryptoAPI in previous versions of Windows Server
In this post I am going to go over auto-enrollment to explain what it is and how it works
AutoEnrollment.. What it is
Auto-enrollment is a certificate enrollment method in ADCS that allows clients to seamlessly* enroll for certificates and to perform other handy functions including deleting revoked certificates and downloading root certificates from Active Directory. For this reasons, it is a best practice to enable auto-enrollment on the Domain group policy level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists. Auto-enrollment is triggered when a user logs on, when a machine is powered on, or every 8 hours when Group Policy is refreshed. It is possible to manually trigger Group policy update by running the command gpupdate /force on the client.
*The experience might not be seamless for User Certificate templates if this is explicitly specified in the template.
Auto-Enrollment.. How it works
In order to troubleshoot auto-enrollment, it is beneficial to understand how it works and the steps involved in it. Below are the autoenrollment steps on a high level
- When a GPO with auto-enrollment configured is applied to a client, the client downloads all published certificate templates in the forest and stores them in the local registry in the following key HKEY_CURRENT_USER/Software/Microsoft/Cryptography/Certificate TemplateCache, each Template having its own registry key
- The client checks the template for Read and Autoenroll permission, if these permissions are granted the client, it generates a key pair locally
- If input is required from the user a balloon appears in the system tray asking the user for input
- The Client creates a Certificate request and sends this request along with its public key to the Issuing CA. The request is based on the certificate template on which the user is granted Read and Autoenroll
- the Issuing CA creates a certificate that has the Clients public key, stores it and issues it to the client
- If the Publish Certificate in Active Directoryoptions is chosen, the certificate is also published in Active Directory and made available for other clients in the domain
- The user now has a certificate associated with its private key and can now use it.
If Key Archival is enabled, the steps below will be slightly different
Auto-Enrollment.. How to configure it
To configure auto-enrollment, the following has to be done
- Grant the AutoEnroll permission for the subjects (Users/Groups) on the certificate template. To perform this, in your issuing CA, open the Certificate Templates container. Right click on the Template you would like to configure. Go to properties. go to the security tab. Add the user/group to Access Control list (if it does not exist already), grant them the AutoEnroll permission. It is also a proven practice to grant the authenticated users group the Read Permission
- Configure the Auto-enrollment Policy for the subjects (preferably for the entire domain instead, to make use of other handy functions of autoenrollment mentioned above). To perform this, edit the group policy object you want to enable auto-enrollment on, go to User Configuration > Windows Settings > Security Settings > Public Key Policies. Click on Certificate Services Client - Auto-Enrollment. Select the Enroll certificates automatically option.