Confirming that the Windows server (Certificate Authority) is set up properly to support auto-enrollment of certificates on Mac computers

This section describes how the RADIUS server must be configured to support 802.1X wireless configuration for Mac computers.

Internet Information Services (IIS) supports CertEnroll and CertSrv URLs

IIS must support the CertEnroll and CertSrv URLs to enable web-based access to certificate tasks.

To verify that IIs supports the CertEnroll and CertSrv URLs

  1. On the Windows Certificate Authority server, click Start > Administrative Tools > Server Manager to open Server Manager.
  2. Expand Roles > Web Server (IIS) and click Internet Information Services (IIS) Manager.
  3. In the right, Connections pane, expand Sites > Default Web Site and you should see CertEnroll and CertSrv:

Windows public key group policies are set to trust the root certificate authority and enroll certificates automatically

Through group policy settings, the root certificate must be imported into the Trusted Root Certification Authorities group policy and set to enroll certificates automatically.

To verify that Windows public key group policies are set to trust the root certificate authority and enroll certificates automatically

  1. On the Windows Certificate Authority server, click Start > Administrative Tools > Server Manager to open the Group Policy Management Editor.
  2. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and select Trusted Root Certification Authorities.

    You should see your root certificate:

  3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and double-click Certificate Services Client - Auto-Enrollment.

  4. In Configuration Model select Enabled.

  5. Select both boxes, Renew expired certificates and Update certificates that use certificate templates.

  6. Click OK to save the policy.

A certificate template is configured to automatically enroll domain computers

To automatically enroll domain computers, you must have a certificate template that supports auto-enrollment for domain computers.

To configure a certificate template to automatically enroll domain computers

  1. On the Windows Certificate Authority server, open an mmc console that contains the Certification Authority and Certificates snap-ins (Start > Run > mmc.exe ).
  2. If snap-ins for Certificate Templates, Certificates, and Certifications Authority are not displayed under Console Root in the navigation pane, add them now. To do so, click File > Add/Remove Snap-in.
    1. Select Certificate Templates and click Add.

    2. Click Certificates and click Add.

    3. Select Computer Account and click Next.

    4. Select Local computer and click Finish.

    5. Select Certification Authority and click Add.

    6. Select Local computer and click Finish.

    7. Click OK.

  3. Select Certificate Templates (domainController) in the navigation pane.

  4. In Certificate Templates, duplicate the Workstation Authentication certificate. Right-click Workstation Authentication and select All Tasks > Duplicate Template.

  5. Perform the following steps in the Properties of New Template dialog:

    1. In the General tab, type a template name of your choice (for example, Mac Auto-Enroll Certificates) in the Template name field (do not use special characters such as brackets and asterisks). Type the same name in the Template display name field so that the template displays by that name in the Certificate Templates list.

    2. In the Extensions tab, select Application Policies > Edit. In the resulting dialog, select Add > Server Authentication and click OK.

    3. In the Extensions tab, verify the Client Authentication is already in the application policy list. If it is not, add it in the same way that you added the Server Authentication policy.

    4. In the Subject Name tab, select Build from this Active Directory information. In the Subject name format field, select Fully distinguished name. In the Include this information in alternate subject name list, select User Principle Name (UPN).

    5. In the Security tab, select Domain Computers (domainController) and ensure that the template is enabled for Enroll and Autoenroll.

    6. Click Apply and OK to save your settings.

  6. Verify that the new template has been added to the certification authority.

    Expand Console Root > Certification Authority > domainController and select Certificate Templates. You should see that the certificate template that you have configured for auto-enrollment is contained in the certification authority for the domain:

    If the new certificate template is not contained in the certification authority, add it now:

    1. In the navigation pane, right-click Certification Templates under Console Root > Certification Authority > domainController.

    2. Select New > Certificate Template to Issue.

    3. Scroll to the newly created template, select it, and click OK.

  7. Enable the following group policy:

    • On Windows 2008: Computer configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment Settings.

    • On Windows 2012: Computer configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

      Note:   To enable a group policy, open the Group Policy Management console by selecting Start > Administrative Tools > Group Policy Management. In the Group Policy Management console navigation pane, expand Group Policy Management > ForestName > Domains > DomainName > Group Policy Objects. Right-click Default Domain Policy and select Edit. In the resulting Group Policy Management Editor, navigate to the group policy described above and double-click the group policy. In the resulting dialog, select Enabled in the Configuration Model field.

  8. On the Mac computer, download the certificates by executing the following commands in a terminal window:

    sudo adflush
    adgpupdate
  9. Verify that the certificates were downloaded:

    1. On the Mac computer, open Keychain Access and verify that the certificates are there.

    2. On the Mac computer, verify that the certificates are in /var/centrify/net/certs.

    3. On the Windows Certificate Authority server, open the Certification Authority console (Start > Run > certsrv.msc) and verify that the certificates are in the Issued Certificates folder.

A certificate template is configured to automatically enroll domain users

To automatically enroll domain users, you must have a certificate template that supports auto-enrollment for domain users.

To configure a certificate template to automatically enroll domain users

  1. On the Windows Certificate Authority server, open an mmc console that contains the Certification Authority and Certificates snap-ins (Start > Run > mmc.exe).
  2. Verify that the snap-ins described in Step 2 on page 86 are present under Console Root in the navigation pane. If they are not, add them now as described in Step 2 on page 86.
  3. Select Certificate Templates (domainController) in the navigation pane.
  4. In Certificate Templates, duplicate the User certificate. Right-click User and select All Tasks > Duplicate Template.
  5. Perform the following steps in the Properties of New Template dialog:
    1. In the General tab, type a template name in the Template name field. Type the same name in the Template display name field so that the template displays by that name in the Certificate Templates list. For Mac, you can specify a name of your choice (do not use special characters such as brackets and asterisks). For mobile devices, the template name must be User-ClientAuth.

    2. In the Security tab, select Domain Users (domainController) and ensure that the template is enabled for Enroll and Autoenroll.

    3. Optionally, in the Subject Name tab, select Build from this Active Directory information. De-select the Include email in subject name and E-mail name check boxes. If you perform this step, Active Directory users do not need an email address.

  6. Verify that the new template has been added to the certification authority as described in Step 6 on page 87. If the new certificate template is not contained in the certification authority, add it now as described in Step 6 on page 87.

  7. Enable the following group policy:

    • On Windows 2008: Computer configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment Settings.

    • On Windows 2012: Computer configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment.

      Note:   See Step 7 on page 88 for details about how to enable the group policy.

  8. On the Mac computer, download the certificates by executing the following commands in a terminal window.

    As the local Administrator:

    sudo adflush

    As an Active Directory user:

    adgpupdate
  9. Verify that the certificates were downloaded:

    1. On the Mac computer, open Keychain Access and verify that the certificates are in the Login keychain.

    2. On the Mac computer, verify that the certificates are in ~/.centrify/:

      ls -l ~./centrify/