× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Autoenroll User Certificate with username?

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: ‎09-26-2013
#1 of 5 311
Accepted Solution

Autoenroll User Certificate with username?

[ Edited ]

Is there a way to autoenroll User certificates, where the subject/common name is the username? I have seen docs, blogs, and posts about enrollment, but only for Computer certificates, and the subject is always the computer name.

 

Edit: I meant email, not username. Our Windows machines use a user certificate template that issues based on the email address as the subject. When I tried this, Centrify does not create the cert.

Centrify Guru I
Posts: 1,820
Registered: ‎07-26-2012
#2 of 5 305

Re: Autoenroll User Certificate with username?

[ Edited ]

@bajcsi,

 

Welcome to the Centrify forums.  Several comments:

"I have seen docs, blogs, and posts about enrollment, but only for Computer 
certificates, and the subject is always the computer name."

The reason why most of the post you see describe computer common names is because in system use cases for IPSEc or 802.1x networking typically the use case is tied to the system name.

"Our Windows machines use a user certificate template that issues based on the
email address as the subject. When I tried this, Centrify does create the
cert."

 The default use case (UNIX/Linux) for GPOs like auto-enrollment use  "Computer Configuration" hive of GPOs (instead of the user) and with the exception of OS X, the user GPOs are disabled by default (plus we don't provide a mapper).

You can verify this by running adgpupdate:

 

$ adgpupdate                                                            
Refreshing Computer Policy...                                                                   
Success                                                                                         
Refreshing User Policy...                                                                       
User Policy disabled on this machine.

Ultimately, the system needs to have not only a valid ticket, but the attributes available to create this request.

 

 If you let us know what OS populations (and versions) are being targeted and your ultimate requirement (the problem you want to solve) we may be able to give you an alternative.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 3
Registered: ‎09-26-2013
#3 of 5 299

Re: Autoenroll User Certificate with username?

@Robertson, thank you for the reply. The target OS's are MacOS 10.11, 10.12. The ultimate requirement involves 802.1x for network access, VPN, and a few other apps that are already using email based common names. I could change them to accept machine name, but would rather keep it uniform if possible.
Centrify Advisor III
Posts: 73
Registered: ‎09-08-2015
#4 of 5 278

Re: Autoenroll User Certificate with username?

Hello @bajcsi,

 

This doc indicates what is needed, specifically for 802.1x

 

https://docs.centrify.com/en/centrify/macadmin/macadmin/adm_configuring_8021x.html#

 

Take note to the User auto enroll cert portion. Note that the subject name and SAN are determined by the template that you use. You will also need the AD GPO for user auto-enroll of certificates. 

 

Once these are in place, the certificates will auto enroll. If you are also using a GP to configure 802.1x, you will also create the 802.1x GPO as well.

 

Here is additional info, which also includes troubleshooting.

 

https://centrify.force.com/support/Article/KB-6642-Getting-started-with-802-1X-for-Mac-Configuration...

 

Regarding other services, such as VPN, you will probably want to set the GP to "Allow specific applications to access the auto-enrollment private key(s)" as well. More info can be found here;

 

https://docs.centrify.com/en/centrify/macadmin/macadmin/adm_userGP_SecurityPrivacy.html#ww1226694

 

I hope this helps!

 

Have a great day!!

 

RyanV

Participant II
Posts: 3
Registered: ‎09-26-2013
#5 of 5 249

Re: Autoenroll User Certificate with username?

[ Edited ]

@RyanVThank you. One of your links pointed me to this article: https://centrify.force.com/support/Article/KB-4275-How-to-setup-a-user-authentication-certificate-fo...

This procedure helped solve my issue. The part I was missing was "user-certificates are now only enrolled when a user does a Connected login from the GUI login screen". This is why I wasn't seeing the certs show up when issuing a adgpupdate.

Thanks again!