Part 4 – Deploy a certificate to Mobile Devices and test it out
This is the last part of this blog series and is focussed on getting some user certificates to your devices and testing that certificate authentication works for the office apps. To get to this point you should have Published a CRL, Setup Azure AD and configured ADFS).
There are a number of ways to deploy certificates to Mobile devices. The most common way for enterprises to do it is to configure Intune (or another MDM product) with certificate profiles (PFX or SCEP) so that once the device is enrolled, the user automatically gets a certificate created for them on that device. There are tonnes of good resources out there already showing you how to setup it up so here I'm just going to focus on getting the certificate template right. For the most part, you don't need MDM to test this out (With the exception of iOS – because its difficult to get a root CA cert installed any other way). In this post, I'll cover the process for testing without MDM – by manually requesting a cert from a domain joined windows machine, then copy it) but when I get to testing on iOS devices I do eventually fallback to Intune for distributing the RootCA cert to iOS.
- On your CA server, open Certification Authority, right-click Certificate Templates, Manage.
Create a new certificate template with the following key properties: (Tip: Duplicate and adjust the USER template)
- Subject Name: Supply in the Request
- EKU: Client Authentication
3. Apply, then close the certificate template console
4. Right click Certificate Templates, New, Certificate Template to issue
5. Select the template you just created. And Ok.
Testing from Internal domain-joined Windows Device
6. Log onto a domain-joined windows client machine with a test user account, run certmgr.msc
7. Expand Personal, Certificates, Right click All tasks, request new certificate
8. Next, Next through the wizard til you get to the Request Certificates page, Select Properties.
9. Add details for the Subject Name and Subject Alternative Name (We specified "Supply in Request" in the certificate template):
- SubjectName: Common Name
- Alternative Name: User Principal Name or Email (Whichever matches your users identities in AAD)
Note 1: iOS doesn't support fully distinguished name as the subject name format or including e-mail address in subject name
Note 2: For iOS to support with Exchange ActiveSync clients, The email (RFC822) attribute must match the user's routable email address in Exchange Online. If the RFC822 attribute is not present, the UPN attribute of the certificate must match the UPN of the user in Azure AD. This is required to map the certificate to a user in Azure AD.
10. Apply, then click Enrol to complete the ce
rtificate request. You should now see the user certificate in the Personal Store.
11. Now that you have a certificate on one of your domain joined machines, test it out. Go to https://portal.office.com , Choose Sign in with a certificate option and see if it allows you to login.
Testing from an External Windows Device
12. It's a good idea to test the same steps above from a Windows client external from your network to make sure the whole Web Application Proxy (WAP) part is right and ports are configured properly. To do that, go back to certmgr.msc and export the user certificate along with the private key (The certificate has to be maked as exportable in the template we created earlier). Copy the .pfx over to your external test Windows devices, import the User Cert (the RootCA will automatically be put into the Trusted Root Certificate Authority Store) and try the steps above.
Tip: If this fails, check your client can connect to your WAP server on port 49443. If it still isnt working, Take a look at the CAPI2 event log ( Windows Event Viewer, Applications and Services Log, Microsoft, Windows, CAPI2) on your WAP server. Enable the log if it isnt already. This will bubble up any issues with the certificate chain or CRL.
Testing on an Android Device (7.0)
13. Drop the same user cert (pfx) onto your android (connect it via usb, memory card, etc).
14. Select the user .pfx file and you will be prompted to provide a friendly name for the certificate and install. Accept the default name and click ok.
15. To check the certs are installed correctly, go to Settings, Lock Screen and Security, Other Security Settings, User Certificates. You should see both the CA and User Cert listed.
If you have a version of android that doesn't have User Certificates in the settings menu, another trick to find what certificates are installed is to go to "Network Connections" (for knox devices) or "Settings (Wireless & networks)" (for non-knox). Then go to More > VPN > + add > Type = L2TP/IPSec RSA (or any RSA related selections) the drop down for "IP Sec User Certificates" will show a list of User Certs installed on the device.
16. Test out browser access first. Head to https://portal.office.com, put in the users UPN and wait for the redirection to your ADFS page. Click "Use a Certificate" and you should be logged on.
17. If all that works, download OneDrive (or one of the other supported apps), and test the sign-in and certificate authentication flow.
Testing on an iOS Device
18. For iOS, Email the same .PFX user certificate to yourself and install it on the device. The problem is that the certificate is "not verified" under the certificate profile. The RootCA is not installed.
19. The only way that I know to get the RootCA installed is through MDM or via the Apple Configurator tool (can only be installed on Mac OS). Because I don't own a Macbook, I'll create a Trusted CA certificate profile in Intune and deploy it (Screenshots below are for how to create this profile if using Intune Hybrid or Standalone mode respectively):
20. After you have enrolled the device in Intune through the company portal, the RootCA will be deployed, the PFX certificate that you copied earlier will now say Verified.
21. Install the Authenticator App from the store (This is necessary for iOS but not android)
22. Test to see if it works by installing Outlook (or onedrive/word/excel/powerpoint) and walking through the sign-in.