Autoenrollment Connector: Windows Integration

This guide describes how to configure the MTG Autoenrollment Connector (AEC) with Microsoft Active Directory. It covers installation, configuration, template setup, and client enrollment in a step-by-step workflow.

This page serves descriptive purposes only and is not a replacement to guides on installing, securing, or hardening an Active Directory, configuring DNS, or other administrative actions. It is meant as assistance to an administrator for the configuration of Windows systems to use the AEC.

Security and hardening aspects of the installation and configuration of Windows components are not covered in this page. Security warnings shown in screenshots must be addressed in real-world installations.

Overview

Several steps may have already been performed in your organization (e.g., some components may already be installed). Deviations from real-world installations are expected.

This documentation covers:

Active Directory installation or verification of existing setup
TLS configuration for secure LDAP communication
Service account creation and Kerberos configuration
Certificate template configuration for autoenrollment
Group Policy setup for enrollment policies
Client-side policy updates and certificate requests

Prerequisites

Existing Active Directory (AD) domain or new installation (instructions below)
Administrator rights on Windows Server
Access to AEC configuration files (application.properties, keytab files)

1. Verify or Install Active Directory

If Active Directory is already present in your environment, verify it is properly configured. If not, follow the installation steps below.

Configure the domain name at the ldap.server.host property of application.properties, where Active Directory runs.

Example: ldap.server.host=ad.demo.mtg

Install Active Directory Domain Services

Server Manager

Choose Manage → Add Roles and Features.

Roles and Features

A configuration wizard starts.

Configuration Wizard – First Page

The first page of the wizard is shown. Click Next.

Configuration Wizard – Destination Choice

Choose the server where Active Directory should be installed.

Configuration Wizard – Active Directory Services

Choose the corresponding services for Active Directory.

Configuration Wizard – Add Features

The Add Features window will appear. Click Add Features.

Configuration Wizard – Proceed with Wizard

Click Next.

Configuration Wizard – Group Policy Management

If it is not activated, activate Group Policy Management.

Configuration Wizard – Proceed with Wizard

Click Next.

Configuration Wizard – Install Active Directory

Click Install.

Configuration Wizard – Installed Active Directory

Close the dialog after successful installation.

Promote to Domain Controller

You can promote the server to a domain controller. To do this, select Notifications → Promote this server to a domain controller.

Domain Controller Configuration Wizard – Deployment Configuration

Choose Add a new forest and provide the root domain name (in this example demo.mtg).

Domain Controller Configuration Wizard – Provide Password

Provide a password and click Next.

Domain Controller Configuration Wizard – Proceed with Wizard

Proceed with the wizard.

Domain Controller Configuration Wizard – Resolve NetBIOS Name

Wait for the NetBIOS name to be resolved.

Domain Controller Configuration Wizard – Provide NetBIOS Name

Provide the NetBIOS domain name.

Domain Controller Configuration Wizard – Proceed with Wizard

Proceed with the wizard.

Domain Controller Configuration Wizard – Proceed with Wizard

Proceed with the wizard.

Domain Controller Configuration Wizard – Finish Installation

Finish the installation. Your system will then restart.

Add Certification Authority Management Tools

Under Server Manager → Manage → Add Roles and Features, run the wizard as shown above, and now add Certification Authority Management Tools.

2. Configure TLS for LDAP

For several security mechanisms to function properly, TLS must be active on LDAP.

Verify LDAP Connectivity

Start LDAP Client Tool and Check Connection

Check that AD as an LDAP directory is running. To do this, open a cmd window and run ldp. Provide the domain of the server and 389 as a port (389 is the default port of LDAP). A connection should be established.

Connection Settings for SSL/TLS

Trying the same for port 636 with SSL checked will fail (before configuration).

Import Certificates for TLS

Copy the root CA and sub CA certificate on the server, and a PKCS12 file containing the keys and certificates of the Active Directory server.

Microsoft Management Console – Add Snap-in

Open cmd and type mmc to get the Microsoft Management Console. Click File and Add/Remove Snap in….

Add Certificates

Select Certificates, click Add, and then click OK.

Certificates Snap-in for Computer Account

Choose Computer account and click Next.

Certificates Snap-in for Local Computer

Choose Local computer and then Finish.

Add Root CA Certificate as Trusted Root

Import the root CA certificate under Trusted Root Certification Authorities. After adding the root, also add the sub CA certificate under Intermediate Certification Authorities.

Import Private Keys and Certificates

Finally import the private keys and certificates of the Active Directory server under Personal.

You should now be able to connect to LDAP over TLS (port 636 with SSL enabled).

3. Create Service and LDAP User Accounts

For AEC to operate, two service accounts need to be created in Active Directory:

aec-service – The service account of the AEC
aec-ldap-user – An Active Directory user needed by AEC to bind to Active Directory and perform LDAP operations

Create Account aec-service

Active Directory Users and Computers

Under Tools → Active Directory Users and Computers, add the aec-service user.

Users

Go to Users.

Add User

Add user.

Provide User Logon Name

Provide a user logon name for this user. Choose aec-service.

Provide Password

Provide the password for this user and choose Password never expires. Finish the dialog to create the user.

Activate AES Support for Kerberos

As a final step, activate support for AES128 and AES256 for this account.

Then set the Service Principal Name (SPN) to the Active Directory for this user account:

setspn -s HTTP/aec-service.demo.mtg aec-service

Which has the form HTTP/<FQDN where AEC runs>.

Configure the principal name of this user to the app.auth.service-principal property of application.properties.

Example: app.auth.service-principal=HTTP/aec-service.demo.mtg

The SPN of the user must match the domain name of the server running the AEC. In this example, the domain name of the server running AEC must be set to aec-service.demo.mtg.

Then create a keytab file for this user to store its credentials:

ktpass -out application.keytab -mapUser aec-service@DEMO.MTG +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/aec-service.demo.mtg@DEMO.MTG

General use:

ktpass -out <keytab-path> -mapUser <service-user-account-name>@<domain-name-in-upper-case-letters> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <service-principal-name>@<domain-name-in-upper-case-letters>

Configure application.keytab file to the app.auth.keytab-location property of application.properties.

Example: app.auth.keytab-location=application.keytab

Create Account aec-ldap-user

Create a user performing the same steps as before, using aec-ldap-user as user logon name. This user must be able to write certificates into the AD. Therefore, this user must be added to the Cert Publishers group.

Add User to Group

Navigate to aec-ldap-user and click Add to a group.

Add to Group – Check

Check the group name.

Add to Group – Choose Group

Select the Cert Publishers group.

Add to Group – Finish

Finish the dialog by clicking OK.

Then create a keytab file for this user to store its credentials:

ktpass -out aec-ldap-user.keytab -mapUser aec-ldap-user@DEMO.MTG +rndpass -mapOp set +DumpSalt -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL -princ aec-ldap-user@DEMO.MTG

General use:

ktpass -out <keytab-path> -mapUser <ldap-user-account-name>@<domain-name-in-upper-case-letters> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <ldap-user-principal-name>

Configure aec-ldap-user.keytab file to the ldap.auth.keytab-location property of application.properties.

Example: ldap.auth.keytab-location=aec-ldap-user.keytab

Configure the principal name of this user to the ldap.auth.service-principal property of application.properties.

Example: ldap.auth.service-principal=aec-ldap-user@DEMO.MTG

4. Register AEC Computer in DNS

The computer where the AEC application runs must be made known to the Windows system.

DNS Management

Go to DNS management.

Add New Host

Add a new host.

Provide a Domain Name for the IP

Provide a domain name for the IP where the AEC application runs (in this example at 198.51.100.90). The name must be aec-service. It is important that FQDN, SPN, and names are consistent with each other.

AEC Computer Registered

The computer has been properly registered.

Choose SOA

Navigate to Start of Authority.

Increment SOA

Finally, increment the Start of Authority and click Apply.

5. Configure AEC and Kerberos

The AEC service must be able to verify and work with Kerberos tokens that arrive from various clients. A Kerberos configuration file is necessary for AEC to work with the Kerberos protocol.

Kerberos krb5.conf Example

The values in this file follow the configured domain demo.mtg of this document.

[libdefaults]
default_realm = DEMO.MTG
default_tkt_enctypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1

[realms]
DEMO.MTG = {
  kdc = ad.demo.mtg
  default_domain = demo.mtg
}

[domain_realm]
.demo.mtg = DEMO.MTG
demo.mtg = DEMO.MTG

Configure the location of this file at the app.auth.krb5.conf property of application.properties.

Example: app.auth.krb5.conf=krb5.conf

6. Configure Certificate Templates

In this section, the setup of templates for user and computer autoenrollment is described.

User Templates for Autoenrollment

Add Certificate Templates

Open cmd and type mmc to get the Microsoft Management Console. Add Certificate Templates.

Duplicate User Template

In the certificate templates view, duplicate the User template to retrieve a new template that you can configure for autoenrollment.

Set Template Name

You must set the name of this new template in the General tab.

The template name User_Autoenrollment must be configured in the mapping.json file of AEC under certTemplates.

Allow Autoenroll for Domain Users

Then allow autoenroll for a certain group or users.

New Template

The new template is now listed.

Computer Templates for Autoenrollment

Use the template named Computer for duplication and repeat the steps described in User Templates for Autoenrollment.

7. Configure Enrollment Policies

You need to start AEC. For this step, it is required that the service is properly configured and in operation.

Computer Configuration

To request certificates, Windows clients query a policy server to receive information about the templates and location of the enrollment server. In this section, the configuration of the location of AEC as a policy server is described. This configuration is performed under Group Policy Management.

Open Group Policy Management

Open Group Policy Management.

Edit Default Domain Policy

Edit the default policy of the domain.

Choose Certificate Enrollment Policy

Choose the configuration of the certificate enrollment policy.

Enable and Add a New Policy Server

The AEC must be enabled and added as a new policy server.

Enter Policy Server URL and Validate

The URL of AEC must be entered. This URL can then be validated.

Successful Validation of the Policy Server URL

A successful validation is shown.

Appearance in the List and Set as Default

The newly configured policy server will then appear in the list of policy servers. It should be chosen as default certificate enrollment policy.

Choose Auto-Enrollment

Navigate to Auto-Enrollment settings.

Enable Auto-Enrollment

Enable Auto-Enrollment for the computer configuration.

User Configuration

The steps are similar to the steps described above.

Distribute Root and Sub CA Certificates

Import Root CA Certificate

Import the root CA certificate into the policy, in order for it to be distributed to other clients. Edit default domain policy and import the root CA certificate.

To import the sub CA certificate, perform the above under Intermediate Certification Authorities.

8. Update Clients and Request Certificates

The server-side configuration is ready. You should also update the policy at the client-side, in order to receive the newest policy containing the newly configured policy servers, templates, etc.

Update Policy

gpupdate /force

Get the Policy Cache for this Computer

You can also check whether the new policies are properly set:

certutil -policyserver * -policycache

Get the Policy Cache for the User who is Logged in

certutil -f -user -policyserver * -policycache

Then request a new certificate for the user or computer you are working on.