How to Use Active Directory Certificates in Devices for Authentication

You can use a certificate authority in the Active Directory Certificate Service to generate user and computer certificates for user and device authentication. In turn, you can use these certificates for log-in authentication in the Wi-Fi, VPN, and Exchange ActiveSync server profiles rather than an account’s user name and password.

This section only applies when you use the Active Directory Certificate Service to issue your certificate. If you are using the Delinea Tenant Certificate Authority, you can skip this section. See Enabling the Registration Policy to Use User and Computer Certificates.

To use certificates from your Active Directory certification authority

  1. You must create user or computer certificate templates on the Windows Certificate Authority server used by the Delinea Connector. In addition, you need to configure the host computer for each of your Delinea Connectors so that it can revoke certificates. See Creating the Certificate Templates.

  2. After you create the templates, the certificates are automatically created for and then installed by Privileged Access Service when the user registers the device.

  • If you are using Active Directory group policy for device policy management, you can select the certification authority when you configure Device Policy Management—see How to Select the Policy Service for Device Management. If you are using Delinea directory policy service for device policy management and select the Active Directory Certificate Service, Privileged Access Service uses the default Active Directory Certificate Services certification authority only.

  • In many cases, additional server configuration is required before you can use certificates for authentication. See your server’s documentation for the details.

The procedures in this section assume that you have a working Active Directory Certificate Services certificate authority within your domain and you have sufficient permissions to modify the settings.

Enabling the Registration Policy to Use User and Computer Certificates

Before you can use certificates for authentication, you need to set the registration policy to enable automatic enrollment and renewal. The following procedure shows you how to set the Certificate Registration Policy for user and computer certificates in the Default Domain Policy. However, you can also set them on a group-by-group basis.

alt

To enable computer and user certificate registration policies:

  1. Open the Group Policy Management plug in on the connector, right-click the Default Domain Policy, and click Edit.

  2. To enable the Certificate registration policy for computer certificates expand Computer Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.

  3. Double click Certificate Services Client - Certificate Registration Policy.

  4. In the Configuration Model menu, select Enabled.

  5. Click OK.

  6. To enable the Certificate registration policy for user certificates expand User Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies.

  7. Double click Certificate Services Client - Certificate Registration Policy.

  8. In the Configuration Model menu, select Enabled.

  9. Click OK.

Creating the Certificate Templates

The certificate templates you create can be used for configuring WiFi, VPN, and Exchange. The Certificate Authority server uses these templates to generate the client certificate that is installed on devices. When you configure WiFi, VPN, and Exchange to use a certificate template, you must ensure that the connector service account has Read and Register permissions. The following screenshot provides a reference. If you do not give these permissions, we cannot find the templates.

alt

You create certificate user and computer templates on the Active Directory certificate authority server you defined. See How to Select the Policy Service for Device Management.

The templates you create must be named as follows, including the uppercase letters:

Computer-ClientAuth

User-ClientAuth

In some cases, you specify in the profile which type of certificate (user or computer) to use for authentication (for example, the iOS Wi-Fi profile) while others require you to use either the computer or the user certificate. To simplify profile configuration, we recommend creating both templates.

You use the Microsoft Management Console (MMC) on the certification authority server designated in the Delinea Connector to create the templates.

To create computer and user certificate templates:

  1. Launch certsrv.msc or the Certificate Authority console on the Windows server with the certification authority installed.

  2. Expand the certification authority, right-click Certificate Templates, and click Manage.

  3. Right-click Computer choose Duplicate Template.

    To create the User-ClientAuth template, you right-click User instead and then choose Duplicate Template.

  4. Click the Compatibility tab, select Windows Server 2008 and click OK.

  5. Click the General tab and enter Computer-ClientAuth in the Template display name text box.

    This action also automatically fills in the Template name field.

    If you are creating the user template, enter User-ClientAuth instead.

  6. Set the Validity period: and Renewal period values.

  7. Click the Subject Name tab and select Supply in the request.

  8. Click the Security tab, select Authenticated Users and select the Register permission.

  9. On the same tab, select Domain Computers and select the Register permission.

  10. Click OK and close the Certificate Templates Console.

  11. In the MMC, right-click Certificate Templates, click New, and click Certificate Template to Issue.

  12. Click Computer-ClientAuth and click OK.

    If you are creating the user template, click User-ClientAuth instead and click OK.

    The templates you create should now appear in the Certificate Templates folder.

Revoking Certificates for Unregistered Devices

The certification authority does not by default revoke certificates for devices when they are unregistered. You must give the host computer for the Delinea Connector the "Issue and Manage Certificates" permission in the certification authority server to revoke certificates.

You must grant this permission in the certification authority for the host computer for each of your Delinea Connectors.

To enable certification authority to revoke certificates when devices are unregistered:

  1. Launch certsrv.msc or the Certificate Authority console on the Windows server with the certification authority installed.

  2. Right-click the certification authority and click Properties.

  3. Click the Security tab.

  4. Click the Add button and select the host computer for the Delinea Connector.

    Make sure the “Computer” object type is selected (click Object Types and select Computers) and enter the first few characters of the computer name as the search filter in the Check Names field.

    Select the computer and click OK.

  5. Select the computer from the Group or user names list and set the Issue and Manager Certificates permission to Allow.

  6. Click OK.

  7. Repeat this procedure for all of your connector host computers.