How to Create User and Computer Certificates with Auto-enrollment Using Server 2012 R2

-

In this article, I will walk through how to create user and machine certificates using Microsoft Windows Server 2012 R2. We will also take a look at how to enable auto-enrollment of certificates to users and machines. This post is particularly useful if you would like to create User and Computer certificates for authentication against Cisco Identity Services Engine (ISE).

The methods I have used in this particular article may differ depending on your active directory groups and group policies but in theory, you should be able to apply the same principles and achieve the same results.
This article assumes you already have a CA running within your server environment along with a user to test enrolment of certificates.

Create Certificate Templates

The first thing we need to do is to create certificate templates. Default templates do exist but it’s easier to duplicate them and change the settings to what you need for your environment.
On Server 2012, open your server manager dashboard and select Tools > Certification Authority. This should open the Certification Authority as shown in the screenshot below.
Expand your CA until you see ‘Certificate Templates‘. Right-click ‘Certificate Templates’ and click ‘Manage’ to manage the templates.
You should be presented with the ‘Certificate Templates Console’ as shown in the screenshot below.
We will start off by duplicating the user template. The following settings are based on the video demonstration I have given, feel free to specify the required settings for your organization.
Find ‘User’ and right-click and select ‘Duplicate Template’. Enter the following settings:
  1. General Tab > Template display name: User-Template
  2. Subject Name: Choose the settings shown in the screenshot below
Note: The fields you have selected for the subject name must be populated for your users. If the fields are not populated the certificates may not be issued. (Check out my video at the bottom of the screen as I demonstrate this).
  1. Security: Select the relevant user groups for your domain and select the permissions shown in the screenshot below
Extensions: Click Edit > Add and select ‘Server Authentication’ followed by ‘OK’. You’ll see the following screenshot. Then click ‘OK’ and ‘Apply’ to complete the user template.
Now we will create the machine template by duplicating the ‘Workstation Authentication’ template. Now configure the following settings:
  1. General Tab > Template display name: Machine-Template
  2. Subject Name: Choose the settings shown in the screenshot below
  1. Security: Select the relevant user groups for your domain and select the permissions shown in the screenshot below
Extensions: Click Edit > Add and select ‘Server Authentication’ followed by ‘OK’. You’ll see the following screenshot. Then click ‘OK’ and ‘Apply’ to complete the user template.
That should complete the creation of both user and computer templates. Now we need to add the certificate templates to the local CA. To do this head back to your CA screen and right-click ‘Certificate Templates’ > New > Certificate Template to Issue as shown in the screenshot below.
Locate the two templates you just created and with them both selected press ‘OK’ to enable the two new certificate templates. Once enabled you should see them within the certificate templates in your CA as shown in the screenshot below.

Configure Auto-enrollment of Certificates

With our User and Machine certificate templates created we need a way to push them to our machines and users. To do this we can use auto-enrolment, this is disabled by default but is fairly straight-forward to enable.
To enable auto-enrollment on your Server Manager click Tools > Group Policy Management. Once Group Policy Management opens expand your forest until you reach the ‘Default Domain Policy’. If you already have other policies configured feel free to use those, the same theory should apply.
Right-click on the ‘Default Domain Policy’ and ‘Edit’, we will start by enabling auto-enrollment for the machines. Click Computer Configuration > Windows Settings > Security Settings > Public Key Policies and you should be able to see ‘Certificate Services Client – Auto-Enrollment’ at the bottom of the screen, as shown in the screenshot below.
Double-click on ‘Certificate Services Client – Auto-Enrollment’ and enter the following settings
That completes auto-enrollment for machines, now follow the same principles for enabling auto-enrolment for users.

Testing & Troubleshooting

We’re all set! We should be able to test and confirm that our machines and users are indeed automatically getting certificates.
With a device that is joined to your domain, log into the device with a domain user. Once logged in, press the Windows button and type ‘MMC’. Once opened click File > Add/Remove Snap-in and select ‘Certificates’. A snap-in window should appear like the one in the screenshot below.
Start by selecting ‘My user account‘ and then click ‘Add’ again to select ‘Computer account’. When selecting the computer account, select ‘Local Computer’ and click ‘Ok’ to finish adding the snap-ins. You should now have a screen like the screenshot below.
Double click on Certificates – Current User > Personal > Certificates and if all has gone to plan you should see the certificate that has been assigned to the user. You can also do the same to check the machine certificate.
If you encounter issues you should check the server CA failed requests, pending requests and issued certificates. All this information is provided towards the end of my video below.



#MicrosoftPKI #Micros #MicrosoftCertificates #PKI #LabEveryday #CertificateAutoenrollment #WindowsUserandMachineCertificates #HowtoCreateUserandComputerCertificateswithAutoenrollmentUsingServer2012R2 #labeveryday #CreateUserandComputerCertificateswithServer2012
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more