Autoenrollment Connector : Interaction with Windows

Introduction

This page describes the installation procedure of the active directory and the different configuration steps that must be performed, to interact with the MTG Autoenrollment Connector (AEC). It shows the process of a clean installation, for the purpose of using the AEC, and focuses on the interaction between the Windows components and the AEC.

Several steps may have already been performed in your organization (e.g., some components may already be installed). Deviations from real-world installations are expected.

This page serves descriptive purposes only and is not a replacement to guides on installing/securing/hardening an active directory, configuring DNS and other administrative actions. It is meant as assistance to an administrator for the configuration of Windows systems to use the AEC.

Security and hardening aspects of the installation and configuration of Windows components are not covered in this page. Security warnings shown in screenshots must be addressed in real-world installations.

Overview

Existent Active Directory Installation includes the requirements on an existing active directory installation and which data should be configured at the AEC.

In Active Directory Installation the active directory installation procedure is described. Additionally, included are the process to promote it to a domain controller as well as the installation of Certification Authority Management Tools.

User Management describes the process of creation and configuration of Windows users that are necessary for the AEC to function properly.

Computers briefly treats the configuration of AEC as a service and computer that can be accessed from a Windows domain.

AEC provides the necessary configuration of AEC for the examples in this page.

Configure Templates shows the configuration of certificates templates and discusses the Autoenrollment configuration.

Enrollment Policies demonstrates the configuration of the enrollment process and how to configure Windows components to use the AEC.

Clients briefly describes the update of the policy at the client side, in order to request a certificate over AEC.

Existent Active Directory Installation

In most cases, an active directory is already present. For several security mechanisms to be able to function properly, TLS must be active.

Configure the domain name at the ldap.server.host property of application.properties, where the active directory runs .

Active Directory Installation

Installation Steps

Server Manager

Go to Server Manager.

Figure 1. Server Manager.

Add Active Directory

Choose Manage ~ Add Roles and Features.

Figure 2. Roles and Features.

A configuration wizard starts. The first page of the wizard is shown below.

Figure 3. Configuration Wizard — First Page.

Choose the server where the active directory should be installed.

Figure 4. Configuration Wizard — Destination Choice.

Choose the corresponding services for the active directory.

Figure 5. Configuration Wizard — Active Directory Services.

The Add Features window will appear. Click "Add Features".

Figure 6. Configuration Wizard — Add Features.

Click Next.

Figure 7. Configuration Wizard — Proceed with Wizard.

If it is not activated, activate Group Policy Management.

Figure 8. Configuration Wizard — Group Policy Management.

Click Next.

Figure 9. Configuration Wizard — Proceed with Wizard.

Click Install.

Figure 10. Configuration Wizard — Install Active Directory.

Close the dialog after successful installation.

Figure 11. Configuration Wizard — Installed Active Directory.

Configure the domain name where active directory runs at the ldap.server.host property of application.properties. for example:
ldap.server.host=ad.demo.mtg.

Promote to Domain Controller

You can promote the server to a domain controller. To do this, select Notifications ~ Promote this sever to a domain controller.

Figure 12. Promote to Domain Controller.

Choose 'Add a new forest' and provide the root domain name (in this example demo.mtg).

Figure 13. Domain Controller Configuration Wizard — Deployment Configuration.

Provide a password and click Next.

Figure 14. Domain Controller Configuration Wizard — Provide password.

Proceed with the wizard.

Figure 15. Domain Controller Configuration Wizard — Proceed with Wizard.

Wait for the NetBIOS name to be resolved.

Figure 16. Domain Controller Configuration Wizard — Resolve NetBIOS Name.

Provide the NetBIOS domain name.

Figure 17. Domain Controller Configuration Wizard — Provide NetBIOS Name.

Proceed with the wizard.

Figure 18. Domain Controller Configuration Wizard — Proceed with Wizard.

Proceed with the wizard.

Figure 19. Domain Controller Configuration Wizard — Proceed with Wizard.

Finish the installation as shown below.

Figure 20. Domain Controller Configuration Wizard — Finish Installation.

Your system with then restart.

Add Certification Authority Management Tools

Under Server Manager ~ Manage ~ Add Roles and Features run the wizard as shown above, and now add Certification Authority Management Tools.

Figure 21. Add Certification Authority Management Tools.

Configure TLS

Check that AD as an LDAP directory is running. To do this, open a cmd Window and run ldp. Provide the domain of the server and 389 as a port (389 is the default port of LDAP).

A connection should be established. See also Figure 22 on how to start the LDAP client tool and connect to server.

Figure 22. Start LDAP Client Tool and Check Connection.

Trying the same for port 636 with SSL checked, will fail.

Figure 23. Connection Settings for SSL/TLS.

Copy the root CA and sub CA certificate on the server, and a PKCS12 file containing the keys and certificates of the active directory server.

Open cmd and type mmc to get the Microsoft Management Console. Click File and Add/Remove Snap in….

Figure 24. Microsoft Management Console — Add Snap-in.

Select Certificates, click Add and then click OK.

Figure 25. Add Certificates.

Choose Computer account and click Next.

Figure 26. Certificates Snap-in for Computer Account.

Choose Local computer and then Finish.

Figure 27. Certificates Snap-in for Local Computer.

After adding the root, also add the sub CA certificate under Intermediate Certification Authorities.

Figure 28. Add Root CA Certificate as Trusted Root.

Finally import the private keys and certificates of the active directory server, under Personal.

Figure 29. Import Private Keys and Certificates of the Active Directory Server.

You should now be able to connect to LDAP over TLS (Figure 23).

User Management

Add Users

For AEC to operate, two service accounts need to be created in the active directory. The first is the service account aec-service. This is the account of the AEC. The second account is the aec-ldap-user. This is an active directory user, needed by AEC to bind to active directory and perform LDAP operations.

Create Account aec-service

Under Tools ~ Activate Directory Users and Computers , add aec-service user.

Figure 30. Active Directory Users and Computers.

Go to Users.

Figure 31. Users.

Add user.

Figure 32. Add User.

Provide a user logon name for this user. Choose aec-service.

Figure 33. Provide User Logon Name.

Provide the password for this user and choose Password never expires. Finish the dialog to create the user.

Figure 34. Provide Password.

As a final step, activate support for AES128 and AES256 for this account.

Figure 35. Activate AES Support for Kerberos.

Then set the Service Principal Name (SPN) to the active directory for this user account:

setspn -s HTTP/aec-service.demo.mtg aec-service

which has the form HTTP/<FQDN where AEC runs>.

Configure the principal name of this user to the app.auth.service-principal property of application.properties. for example:
app.auth.service-principal=HTTP/aec-service.demo.mtg.

The SPN of the user must match the domain name of the server running the AEC. In this example, the domain name of the server running AEC must be set to aec-service.demo.mtg (see also Computers).

Then create a keytab file for this user to store its credentials.

ktpass -out application.keytab -mapUser aec-service@DEMO.MTG +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/aec-service.demo.mtg@DEMO.MTG

General use:
ktpass -out <keytab-path> -mapUser <service-user-account-name>@<domain-name-in-upper-case-letters> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <service-principal-name>@<domain-name-in-upper-case-letters>

Configure application.keytab file to the app.auth.keytab-location property of application.properties. for example:
app.auth.keytab-location=application.keytab.

Create Account aec-ldap-user

Create a user performing the same steps as before, using aec-ldap-user as user logon name (do not set SPN or keytab yet, just create the user).

This user must be able to write certificates into the AD. Therefore, this user must be added to the Cert Publishers group.

Navigate to aec-ldap-user and click Add to a group.

Figure 36. Add user to Group.

Provide CERT and Check Names (Figure 37) to get the correct name to choose it (Figure 38) .

Figure 37. Add to Group — Check.

Figure 38. Add to Group — Choose Group.

Finish the dialog by clicking OK.

Figure 39. Add to Group — Finish.

Then create a keytab file for this user, to store its credentials.

ktpass -out aec-ldap-user.keytab -mapUser aec-ldap-user@DEMO.MTG +rndpass -mapOp set +DumpSalt -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL -princ aec-ldap-user@DEMO.MTG

General use:
ktpass -out <keytab-path> -mapUser <ldap-user-account-name>@<domain-name-in-upper-case-letters> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <ldap-user-principal-name>

Configure aec-ldap-user.keytab file to the ldap.auth.keytab-location property of application.properties. for example:
ldap.auth.keytab-location=aec-ldap-user.keytab.

Configure the principal name of this user to the ldap.auth.service-principal property of application.properties, for example:
ldap.auth.service-principal=aec-ldap-user@DEMO.MTG.

Computers

Set Domain Name for the AEC

The computer where the AEC application runs must be made known to the Windows system. Go to DNS management.

Figure 40. DNS Management.

Add a new host.

Figure 41. Add New Host.

Provide a domain name for the IP where the AEC application runs, in this example at 198.51.100.90. The name must be aec-service .

It is important that FQDN, SPN, and names are consistent to each other.

Figure 42. Provide a Domain Name for the IP.

Here it is shown that the computer has been properly registered.

Figure 43. AEC Computer Registered.

Finally, increment the Start of Authority and click Apply as shown below.

Figure 44. Choose SOA.

Figure 45. Increment SOA.

AEC

The AEC service must be able to verify and work with kerberos tokens that arrive from the various clients. In the previous section, the configuration of the name of the service was described. Additionally, a kerberos configuration file is necessary in order for AEC to be able to work with the kerberos protocol.

In Listing 1 the configuration file that is needed by the kerberos protocol is show. The values in this file follow the configured domain demo.mtg of this document.

Configure the location of this file at the app.auth.krb5.conf`property of application.properties. for example:
app.auth.krb5.conf=krb5.conf.

Listing 1. Kerberos krb5.conf — Example file

[libdefaults]
default_realm = DEMO.MTG
default_tkt_enctypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1

[realms]
DEMO.MTG = {
kdc = ad.demo.mtg
default_domain = demo.mtg
}

[domain_realm]
.demo.mtg = DEMO.MTG
demo.mtg = DEMO.MTG

Configure Templates

In this section, the setup of the templates for user and computer autoenrollment is described.

User Templates for Autoenrollment

Open cmd and type mmc to get the Microsoft Management Console (see Figure 24) and add Certificate Templates as shown below.

Figure 46. Add Certificate Templates.

In the certificate templates view, duplicate the User template to retrieve a new template that you can configure for autoenrollment.

Figure 47. Duplicate User Template.

You must set the name of this new template, in tab General.

Figure 48. Set Template Name.

The template name User_Autoenrollment must be configured in the mapping.json file of AEC under certTemplates.

Then, allow autoenroll for a certain group or users.

Figure 49. Allow Autoenroll for Domain Users.

The new template is now listed.

Figure 50. New Template.

Computer Templates for Autoenrollment

Use the template named Computer for duplication and repeat the steps described in User Templates for Autoenrollment.

Enrollment Policies

You need to start AEC. For this step, it is required that the service is properly configured and is in operation.

Computer Configuration

To request certificates, windows clients query a policy server to receive information about the templates and location of the enrollment server.

In this section, the configuration of the location of AEC as a policy server is described.

This configuration is performed under Group Policy Management.

Figure 51. Open Group Policy Management.

Edit The default policy of the domain.

Figure 52. Edit Default Domain Policy.

Choose the configuration of the certificate enrollment policy.

Figure 53. Choose Certificate Enrollment Policy.

The AEC must be enabled and added as a new policy server.

Figure 54. Enable and Add a New Policy Server.

The URL of AEC must be entered. This URL can then be validated.

Figure 55. Enter Policy Server URL and Validate.

A successful validation is shown below.

Figure 56. Successful Validation of the Policy Server URL.

The newly configured policy server will then appear in the list of policy severs. It should be chosen as default certificate enrollment policy.

Figure 57. Appearance in the List and Set as Default.

Auto Enrollment

Finally, autoenrollment can be configured, as shown in the two figures below.

Figure 58. Choose Auto-Enrollment.

Figure 59. Enable Auto-Enrollment.

User Configuration

The steps are similar to the steps described in Computer Configuration and are not further described here.

Distribute Root and Sub CA Certificate

Import the root CA certificate into the policy, in order for it to be distributed to other clients. Edit default domain policy (see Figure 52) and import the root CA certificate.

Figure 60. Import Root CA Certificate.

To import the sub CA certificate, perform the above under Intermediate Certification Authorities.

Clients

The server-side configuration is ready. You should also update the policy at the client-side, as shown below, in order to receive the newest policy containing the newly configured policy servers, templates, etc.

Listing 2. Update Policy

gpupdate /force

You can also check whether the new policies are properly set:

Listing 3. Get the Policy Cache for this Computer

certutil -policyserver * -policycache

Listing 4. Get the Policy Cache for the User who is Logged in

certutil -f -user -policyserver * -policycache

Then request a new certificate for the user or computer you are working on.