Scribd Logo
Upload

Welcome to Scribd!

  • 4 views

    Always ON

    Uploaded by

    Nikola Tasevski
    This document outlines the steps to configure certificate autoenrollment for servers and users in an Active Directory environment. It involves configuring certificate templates on a Certificate Authority server, enabling autoenrollment via Group Policy on the domain controller, and creating security groups for VPN and NPS servers and users. Client certificates will then be automatically issued to domain-joined Windows 10 machines.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Always ON

    Uploaded by

    Nikola Tasevski
    4 views3 pages
    This document outlines the steps to configure certificate autoenrollment for servers and users in an Active Directory environment. It involves configuring certificate templates on a Certificate Authority server, enabling autoenrollment via Group Policy on the domain controller, and creating security groups for VPN and NPS servers and users. Client certificates will then be automatically issued to domain-joined Windows 10 machines.

    Original Description:

    Original Title

    AlwaysON

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the steps to configure certificate autoenrollment for servers and users in an Active Directory environment. It involves configuring certificate templates on a Certificate Authority server, enabling autoenrollment via Group Policy on the domain controller, and creating security groups for VPN and NPS servers and users. Client certificates will then be automatically issued to domain-joined Windows 10 machines.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    4 views3 pages

    Always ON

    Uploaded by

    Nikola Tasevski
    This document outlines the steps to configure certificate autoenrollment for servers and users in an Active Directory environment. It involves configuring certificate templates on a Certificate Authority server, enabling autoenrollment via Group Policy on the domain controller, and creating security groups for VPN and NPS servers and users. Client certificates will then be automatically issued to domain-joined Windows 10 machines.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    Required :

     DC/DNS servers
     NPS (RADIUS) server
     Certification Authority (CA) server
     Remote Access (Routing/VPN) server

    Infrastructure :

     On a server configured with Active Directory Domain Services:

    - Enable certificate autoenrollment in Group Policy for both computers and


    users,

    Before you enable certificate autoenrollment in Group Policy, you must configure a
    server certificate template by using the Certificate Templates Microsoft Management
    Console snap-in on a CA that is running AD CS:

     On CA1, in Server Manager, click Tools, and then click Certification Authority.
    The Certification Authority Microsoft Management Console (MMC) opens.

     In the MMC, double-click the CA name, right-click Certificate Templates, and


    then click Manage.

     The Certificate Templates console opens. All of the certificate templates are
    displayed in the details pane.

     In the details pane, click the RAS and IAS Server template.

     Click the Action menu, and then click Duplicate Template. The
    template Properties dialog box opens.

     Click the Security tab.

     On the Security tab, in Group or user names, click RAS and IAS servers.

     In Permissions for RAS and IAS servers, under Allow, ensure that Enroll is
    selected, and then select the Autoenroll check box. Click OK, and close the
    Certificate Templates MMC.

     In the Certification Authority MMC, click Certificate Templates. On


    the Action menu, point to New, and then click Certificate Template to Issue.
    The Enable Certificate Templates dialog box opens.

    In Enable Certificate Templates, click the name of the certificate template that you just
    configured, and then click OK. For example, if you did not change the default certificate
    template name, click Copy of RAS and IAS Server, and then click OK.

    Configure server certificate auto-enrollment


    On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and
    then press ENTER. The Microsoft Management Console opens.
    On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box
    opens.
    In Available snap-ins, scroll down to and double-click Group Policy Management Editor.
    The Select Group Policy Object dialog box opens.
    Important
    Ensure that you select Group Policy Management Editor and not Group Policy
    Management. If you select Group Policy Management, your configuration using these
    instructions will fail and a server certificate will not be autoenrolled to your NPSs.
    In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box
    opens.
    In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then
    click OK.
    Click Finish, and then click OK.
    Double-click Default Domain Policy. In the console, expand the following path:
    Computer Configuration, Policies, Windows Settings, Security Settings, and then Public
    Key Policies.
    Click Public Key Policies. In the details pane, double-click Certificate Services Client -
    Auto-Enrollment. The Properties dialog box opens. Configure the following items, and
    then click OK:
    In Configuration Model, select Enabled.
    Select the Renew expired certificates, update pending certificates, and remove revoked
    certificates check box.
    Select the Update certificates that use certificate templates check box.
    Click OK.
    -----------------------------------------------------------------------------------------------
    Configure user certificate auto-enrollment
    On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and
    then press ENTER. The Microsoft Management Console opens.
    On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box
    opens.
    In Available snap-ins, scroll down to and double-click Group Policy Management Editor.
    The Select Group Policy Object dialog box opens.
    Important
    Ensure that you select Group Policy Management Editor and not Group Policy
    Management. If you select Group Policy Management, your configuration using these
    instructions will fail and a server certificate will not be autoenrolled to your NPSs.
    In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box
    opens.
    In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then
    click OK.
    Click Finish, and then click OK.
    Double-click Default Domain Policy. In the console, expand the following path: User
    Configuration, Policies, Windows Settings, Security Settings.
    Click Public Key Policies. In the details pane, double-click Certificate Services Client -
    Auto-Enrollment. The Properties dialog box opens. Configure the following items, and
    then click OK:
    In Configuration Model, select Enabled.
    Select the Renew expired certificates, update pending certificates, and remove revoked
    certificates check box.
    Select the Update certificates that use certificate templates check box.
    Click OK.

    - create the VPN Users Group, the VPN Servers Group, and the NPS Servers
    Group, and add members to each group.

     On an Active Directory Certificate Server CA: Create the User Authentication,


    VPN Server Authentication, and NPS Server Authentication certificate templates.
     On domain-joined Windows 10 clients: Enroll and validate user certificates.

    You might also like