Solved

Certificate Autoenrollment for Windows 2003

Posted on 2014-11-06
4
184 Views
Last Modified: 2014-11-26
I would like to know if setting up Certificate Auto enrollment on a Windows 2003 domain is worth it and how to do it. The KB's I have read talk about getting a certificate for the Domain controller but the certificate I have is for our Exchange 2003 server. I have the certificate installed on the Exchange server but want to use the Auto enrollment feature so I can push out the certificates to Mobile devices when they connect to the network through Active Synch. How do I do this?
0
Comment
Question by:tparus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 21

Accepted Solution

by:
Radhakrishnan R earned 167 total points
ID: 40428106
Hi,

The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event.

To configure Windows Server 2003 PKI Certificate Autoenrollment, please have look at the step by step procedure
http://windowsitpro.com/security/windows-server-2003-pki-certificate-autoenrollment

Hope this helps
0
 
LVL 64

Assisted Solution

by:btan
btan earned 167 total points
ID: 40428139
to deploy cert based into mobile device such as iOS and Android, the link below is good where Part 1 shows configuring Exchange to allow certificate-based authentication for ActiveSync devices and Part 2 shows configure mobile devices for certificate based authentication, whereby we need to enrol and issue certificates to end-users via the admin workstation to deploy to device. That is the minimal for a start to ensure all the cert link up is alright. Note the use of other third-party ActiveSync client for Android instead of native Mobile OS activesync client (which iOS is using).

For cert autoenrollment, I am rather skeptical about that being totally transparent as the delivery of the cert will not be transparent though new cert can be issued. The transfer via machine, storage card etc may still be manual and not sure if EAS (see link sharing the "means") can do that tranparently as expected. Maybe other MDM solution ... did not explore that though.. The normal domain based auto-enrollment setup (to state explicitly in the default enrollment policy) can still be followed whereby the AD will be doing for the user account (used by and deployed into the user's Mobile device) residing as part of the domain in AD ...
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 166 total points
ID: 40429716
OK, a comment as I use it for many years.....
Autoenrollment is useful for standard certificates i.e. for user certificates and computer certificates. Using GPOs and a AD structure gives a good control over the enrollment, so that only devices, which are in the corrects AD OU gets this certificates.
I created Win2003 templates for all standard certificates (as they give more control over the features than the default templates and created additional templates for webserver and other services.

Autoenrollment usually doesn't really work for webserver certs, as - i.e. for Exchange or Lync - you need mostly a SAN cert (a cert with several alternative subject names) to cover all needs for exchange. For such purposes, I create a new 2003 WebServer template where I can add all properties by hand. Analog for other types of certs, which need some special additional information.

While the standard user / computer certs can be distributes easily with the default AD information and autoenrollment, I create all other certs by hand, but using templates. The advantage of the templates is, that a cert, which was created by a template can automatically be renewed. This way you avoid downtime of services due to cert expiration.

That means in fact, that my clients gets standard certificates as far as they moved into the according AD OU, and all services (webservers, exchange, lync etc.) get a (mostly SAN-) cert based on a template, which renews themselves automatically as long as the CA exists. Even renewing the CA cert updates automatically the issued certs.

For the enrollment of mobile devices, you need mostly additional software or a manual installation, dependent on the type of the device (iOS, Android or Windows).
0
 
LVL 64

Expert Comment

by:btan
ID: 40429722
better not for autoenrollment esp for mobile user since device of such are really mobie and tendency of loss is pretty high, connectivity to backend MDM is not guarantee. If the device are enterprise managed ones, it better to check balance not to overdrive the mobility even using just leveraging EAS...very much dependent on the MDM client running..
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question