Go Premium for a chance to win a PS4. Enter to Win


Certificate Autoenrollment for Windows 2003

Posted on 2014-11-06
Medium Priority
Last Modified: 2014-11-26
I would like to know if setting up Certificate Auto enrollment on a Windows 2003 domain is worth it and how to do it. The KB's I have read talk about getting a certificate for the Domain controller but the certificate I have is for our Exchange 2003 server. I have the certificate installed on the Exchange server but want to use the Auto enrollment feature so I can push out the certificates to Mobile devices when they connect to the network through Active Synch. How do I do this?
Question by:Tim
  • 2
LVL 23

Accepted Solution

Radhakrishnan R earned 668 total points
ID: 40428106

The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event.

To configure Windows Server 2003 PKI Certificate Autoenrollment, please have look at the step by step procedure

Hope this helps
LVL 65

Assisted Solution

btan earned 668 total points
ID: 40428139
to deploy cert based into mobile device such as iOS and Android, the link below is good where Part 1 shows configuring Exchange to allow certificate-based authentication for ActiveSync devices and Part 2 shows configure mobile devices for certificate based authentication, whereby we need to enrol and issue certificates to end-users via the admin workstation to deploy to device. That is the minimal for a start to ensure all the cert link up is alright. Note the use of other third-party ActiveSync client for Android instead of native Mobile OS activesync client (which iOS is using).

For cert autoenrollment, I am rather skeptical about that being totally transparent as the delivery of the cert will not be transparent though new cert can be issued. The transfer via machine, storage card etc may still be manual and not sure if EAS (see link sharing the "means") can do that tranparently as expected. Maybe other MDM solution ... did not explore that though.. The normal domain based auto-enrollment setup (to state explicitly in the default enrollment policy) can still be followed whereby the AD will be doing for the user account (used by and deployed into the user's Mobile device) residing as part of the domain in AD ...
LVL 35

Assisted Solution

Bembi earned 664 total points
ID: 40429716
OK, a comment as I use it for many years.....
Autoenrollment is useful for standard certificates i.e. for user certificates and computer certificates. Using GPOs and a AD structure gives a good control over the enrollment, so that only devices, which are in the corrects AD OU gets this certificates.
I created Win2003 templates for all standard certificates (as they give more control over the features than the default templates and created additional templates for webserver and other services.

Autoenrollment usually doesn't really work for webserver certs, as - i.e. for Exchange or Lync - you need mostly a SAN cert (a cert with several alternative subject names) to cover all needs for exchange. For such purposes, I create a new 2003 WebServer template where I can add all properties by hand. Analog for other types of certs, which need some special additional information.

While the standard user / computer certs can be distributes easily with the default AD information and autoenrollment, I create all other certs by hand, but using templates. The advantage of the templates is, that a cert, which was created by a template can automatically be renewed. This way you avoid downtime of services due to cert expiration.

That means in fact, that my clients gets standard certificates as far as they moved into the according AD OU, and all services (webservers, exchange, lync etc.) get a (mostly SAN-) cert based on a template, which renews themselves automatically as long as the CA exists. Even renewing the CA cert updates automatically the issued certs.

For the enrollment of mobile devices, you need mostly additional software or a manual installation, dependent on the type of the device (iOS, Android or Windows).
LVL 65

Expert Comment

ID: 40429722
better not for autoenrollment esp for mobile user since device of such are really mobie and tendency of loss is pretty high, connectivity to backend MDM is not guarantee. If the device are enterprise managed ones, it better to check balance not to overdrive the mobility even using just leveraging EAS...very much dependent on the MDM client running..

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question