Auto-Enrollment - Avoid the challenges of making end users manage their certificates

  • Article

Hello and welcome to My Blog. I am going to go over auto-enollment in Microsoft Active Directory Certificate Services (ADCS)

Certificate Enrollment Methods

Windows clients can enroll for certificates using one of the following methods

  1. Web Enrollment (the default URL is https://CAName/certsrv) where CAName is the name of the Issuing Certificate Authority.
  2. The MMC Enrollment wizard
  3. CNG Application Programming Interface (API) in Windows Server 2008 and windows Server 2008 R2, and CryptoAPI in prvious versions of Windows Server
  4. Offline requests that are submitted manually to a CA
  5. Automatic Certificate Request Settings which is used for older versions of Windows (prior to XP and 2003)
  6. Autoenrollment

In this post I am going to go over autoenrollment to explain what it is and how it works

AutoEnrollment.. What it is

Autoenrollment is a certificate enrollment method in ADCS that allows clients to seamlessly* enroll for certificates and to perform other handy functions including deleting revoked certificates and downloading root certificates from Active Directory.   For this reasons, it is a best practice to enable auto-enrollment on the Domain group policy level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists. Auto-enrollment is triggered when a user logs on, when a machine is started, or when Group Policy is refereshed. It is possible to manually trigger Group policy update by running the command gpupdate /force on the client.

*The expereince might not be seemless for User Certificate templates if this is explicitly specified in the template.

AutoEnrollment.. How it works

In order to troubleshoot autoenrollment, it is benefetial to understand how it works and the steps involved in it. Below are the autoenrollment steps on a high level

  1. When a GPO with autoenrollment configured is applied to a client, the client downloads all published certificate templates in the forest and stores them in the local registry in the following key HKEY_CURRENT_USER/Software/Microsoft/Cryptography/Certificate TemplateCache, each Tamplate having its own registry key
  2. The client checks the template for Read and Autoenroll permission, if these permissions are granted the client, it generates a key pair locally
  3. If input is required from the user a balloon appears in the system tray asking the user for input
  4. The Client creates a Certificate request and sends this request along with its public key to the Issuing CA. The request is based on the certificate template on which the user is granted Read and Autoenroll
  5. the Issuing CA creates a certificate that has the Clients public key, stores it and issues it to the client
  6. If the Publish Certificate in Active Directory options is chosen, the certificate is also published in Active Directoy and made available for other clients in the domain
  7. The user now has a certificate associated with its private key and can now use it.

If Key Archival is enabled, the steps above will be slightly different

AutoEnrollment.. How to configure it

 To configure autoenrollment, the following has to be done

  1. Grant the Autoenroll permission for the subjects (Users/Groups) on the certificate template. To perform this, in your issuing CA, open the Certificate Templates container. Right click on the Template you would like to configure. Go to promprties. go to the security tab. Add the user/group to Access Control list (if it does not exist already), grant them the AutoEnroll permission. It is also a proven practice to grant the authenticated users group the Read Permission
  2. Configure the Autoenrollment Policy for the subjects (preferably for the entire domain instead, to make use of other handy functions of autoenollment mentioned above). To perform this, edit the group policy object you want to enable autoenrollment on, go to  User Configuration > Windows Settings > Security Settings > Public Key Policies. Click on Certificate Services Client - Auto-Enrollment. Select the Enroll certificates automatically option.