Solved

Enterprise CA - Certificate AutoEnrollment Policy on a non-domain computer HowTo

Posted on 2016-10-03
6
285 Views
Last Modified: 2016-10-09
I have completed the following steps thus far:
*Setup Active Directory Certificate Services
*Setup Certificate Enrollment Web Service
*Setup Certificate Enrollment Policy Web Service
*Created duplicate template of computer template
*Created a user account with permissions to the new template (and change the template to require the Subject Name to be supplied in the request)
*Issued the new template
*Reset IIS to update template cache in the Certificate Policy Web Service
*Used Add-CertificateEnrollmentPolicyServer on the non-domain computer to add the Enterprise CA's policy service (used the new user account as the credentials)

When I open the certificates mmc and attempt to get a new certificate using the policy, the list is blank. I'm am not sure what I am missing.

Side note: if there is a way to request the certificate from the policy service with powershell I'd be interested to know that too.
0
Comment
Question by:byt3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 41828083
I do not think Auto-Enrollment works for non-domain computers.
You should use the CA web service via https://servername/certserv to request for certificates on non-domain computers or use the certreq.exe utility. The only powershell commands I know of, come with Exchange Servers e.g.
New-ExchangeCertificate
Get-ExchangeCertificate
Import-ExchangeCertificate

https://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 41828092
Auto enrolment doesn't work for non-domain computers but you can get non-domain computers to request a certificate from a CA by initiating the request manually.

This technet article shows you how...

https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/
1
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41828385
Like Craig Beck specified, it is not possible the use neither of AD Templates or auto enrolments.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 2

Author Comment

by:byt3
ID: 41828394
I am using the wrong term, I think what I am trying to do is setup auto renewal. I do understand that I need to initiate the request myself. I guess I can't do it using the mmc console. When I look into using the cerutil.exe later today, I'll come back on this thread if I have any questions.

Thanks for the link. I'll need it for cerutil.exe guidance.
0
 
LVL 2

Accepted Solution

by:
byt3 earned 0 total points
ID: 41828998
It seems I needed to wait longer to be able to use the MMC to request a certificate. The replication must not have finished to all DCs yet for the template. Oops!

I did find that during the cert request it would fail with permission denied, but if I clicked 'Continue' it would then prompt me for credentials. I had entered in credentials when adding the policy server and set it to remember them, but they weren't used when requesting the certificate.

Something to note is that I'm pretty sure this method of requesting certificates on non-domain computers only works on 2008R2/Windows 7 and up (that's when Web CES and CEP roles were introduced). If using an earlier versions of windows, you will be required to use certreq.exe .

First create an .inf file with details like extensions, request attributes...
https://blogs.technet.microsoft.com/rmilne/2014/06/17/how-to-request-certificate-without-using-iis-or-exchange/https://blogs.technet.microsoft.com/rmilne/2014/06/17/how-to-request-certificate-without-using-iis-or-exchange
https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_Newhttps://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx#BKMK_New

*on computer needing cert: certreq.exe -New -machine Policy.inf cert.req
*copy cert.req to CA
*on CA: certreq.exe -Submit cert.req cert.cer chain.pfx response.rsp
*copy cert.req, chain.pfx and response.rsp to computer needing cert
*on computer needing cert: certreq.exe -Accept -machine chain.pfx
*on computer needing cert: certreq.exe -Accept -machine response.rsp
*on computer needing cert: certreq.exe -Accept -machine cert.cer
*done
0
 
LVL 2

Author Closing Comment

by:byt3
ID: 41835723
Craig sent me down the right track to eventually finding that I needed to use certreq.exe for a windows 2008 machine I have. I just need to wait for AD replication before I was able to see the template I had created through the policy server I added to the non-domain PC
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question