According to the previous episode about certificate auto-enrollment, you might see that the role/usage of certificates itself as well as automatic in its issuances spans across PKI-enabled services: RADIUS, EFS, etc.
Furthermore, with Windows Server, with just some setup, administrators can deploy auto-enroll into their AD infrastructure.
However, implementing AD CS features as well as Active Directory services require a strong foundation about their entities: OU, scope, GPO, security principals, etc.
That's why you might fail with a simple lab about Certificate Enrollment in the previous video.
And this video can help you review your Windows AD CS knowledge, concepts, causations among components.
First of all, normally, the cert will be delivered to the applied objects (Users) right after GPO has been updated on the server side as well as the client side.
If not, there is a chance the Certificate Template has not been published, so there is no way the GP engine can apply the Auto-Enroll policy.
[00:23] Request Certificates
You can request the following types of certificates. Select the certificates you want to request, and then click Enroll.
[00:37] Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.
How a client obtains a certificate is primarily controlled by the security properties of the certificate template.
When certificate templates are published on a server, each template contains an access control list (ACL) that defines the specific operations a subject can perform with a certificate.
[01:32] "Issuing Certificates Based on Certificate Templates" – technet.microsoft.com
Autoenroll: the selected group or user can submit a certificate request based on this template by way of autoenrollment.
Autoenroll permission does not include Enroll permission. To use Autoenroll permission, grant both permissions.
[01:47] We checked the CT publication and its Security ACLs.
Now, let's update the GPO at the client side: gpupdate /force
Next is about the AutoEnroll GPO configuration at the CA Windows Server 2008 R2.
Edit this policy through Group Policy Management Editor (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
If you are enabling certificate autoenrollment, you can select the following check boxes:
+ Update certificates that use certificate templates enable autoenrollment for the issuance of certificates that supersede issued certificates.
[02:50] "Configure Certificate Autoenrollment" – technet.microsoft.com
[03:07] Let's update Group Policy engine from the CA and Windows 7 client.
User policy update has completed successfully.
Remember that, with security principals (ACLs), a GPO itself has that to "Filtering the Scope of a GPO"
By default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational unit. The administrator can further specify the computers and users that are affected by a GPO by using membership in security groups.
So when our Auto Enroll GPO is linked to our domain, it doesn't mean that all object (Users/Computers) of the domain can be affected by the policy.
That forms triangle permission of an auto-enroll entity (not limited to): Certificate Template's security principals, GPO scope, and filters.
Of course, they have their own application, complement each other in practice to maintain the flexibility that meets every secure scenario.
And every administrator should understand and maintain the consistency of these secure protocol by ensuring:
– overlapping still remains the expected object.
– eliminate naming confusions of security container: OU, group, etc.
– organization model has taken place: topology, structure, members.
In the real scenario, issues range will be expanded dramatically due to its apparent characteristics: quantity of users, physical connection delay, mandatory in longer schedules of synchronizations, advanced layers of firewalls are applied, and even downtime in DNS infrastructure can cause critical problems.
[04:08] The fact that Group Policy relies on Kerberos and Authenticating correctly through DNS.
[04:19] "Certificate Templates Overview" – technet.microsoft.com
By default, Windows Firewall enables all outbound network traffic, and it allows only inbound traffic that is enabled by firewall rules. This topic identifies the TCP and UDP ports for which you must have active firewall rules to allow the inbound traffic. This allows Group Policy to perform remote Group Policy Results reporting from client computers and to perform remote Group Policy refresh to client-based computers.
Group Policy refreshes every 90 minutes with a randomized offset of 30 minutes. If you change policy right now, it could be as much as 2 hours before all of your clients get the policy. (Depending on how long Sysvol replication takes in your AD (or if you have a DC on the other side of a slow connection), it could possibly be longer.)
[04:49] There are a few changes in Group Policy that require a reboot for the computer or a logoff/login for the user.
[05:08] Make sure you double check each procedure in the auto-enroll process: CT publishing, template permissions, GPO scope definitions, etc…
[05:58] In deciphering Auto-Enroll error, we now found that we applied the wrong GP's Configuration, we need User certificate while Computer deployment have been deployed.
Troubleshooting AD CS PKI is not a try-and-fail job in the real scenario!
Every component has its own role and connections with each other; like bricks that form a wall, every one of them should be processed block by block orderly.
It is recommended that you hire an AD CS consultant firm to deal with this advanced issue.
[07:12] "Windows Administration: Your Guide to Group Policy Troubleshooting" – technet.microsoft.com
[07:20] In the meantime, you can do the enrollment manually to continue secure operations: file encrypting, web server servicing, etc.
Well done, we have very first steps in deploying AD CS PKI by go through a simple lab and then debug its issues, which can shape your knowledge about the security service that has vast real application.
Let's stay for a while to see it is worthy to invest into AD CS PKI infrastructure with the streamline of part 1: "Duplicate and configure the User certificate template permissions to enable AD CS PKI auto-enrollment".
You can see that the EFS implementation in the Group Policy have its own sections that certificate issuances are defined explicitly.
By lacking certificates due to admin mistakes. users file accessing can be left disabled.
That's the underlying of the secure infrastructure, the system must be implemented/protected, from servers to users, software, etc.; a single point can be leveraged as a vector in the cyber attack in wireless RADIUS-enabled, for instance.
Another example to see this vital spirit of PKI model you may see some sort of insecure warning during HTTPS web surfing, that's about some elements of the website are being loaded through trivial HTTP channel.
That's why you shouldn't let this scenario happen even in difficult situations like you have to mix WLAN authentications among pre-shared keys + certifications, unforced EFS encryptions, HTTPS IIS Web Server auths certs optionally, etc. due to compatibility reasons (OS versions, device types), for instance.
[08:38] Waiting for my next installment about: "Configuring Active Directory Lightweight Directory Services" on my YouTube channel :"3