Autoenroll User Certificate with username?
08-07-2017 08:42 AM
Is there a way to autoenroll User certificates, where the subject/common name is the username? I have seen docs, blogs, and posts about enrollment, but only for Computer certificates, and the subject is always the computer name.
Edit: I meant email, not username. Our Windows machines use a user certificate template that issues based on the email address as the subject. When I tried this, Centrify does not create the cert.
Solved! Go to Solution.
08-07-2017 09:18 AM
Welcome to the Centrify forums. Several comments:
"I have seen docs, blogs, and posts about enrollment, but only for Computer
certificates, and the subject is always the computer name."
The reason why most of the post you see describe computer common names is because in system use cases for IPSEc or 802.1x networking typically the use case is tied to the system name.
"Our Windows machines use a user certificate template that issues based on the
email address as the subject. When I tried this, Centrify does create the
The default use case (UNIX/Linux) for GPOs like auto-enrollment use "Computer Configuration" hive of GPOs (instead of the user) and with the exception of OS X, the user GPOs are disabled by default (plus we don't provide a mapper).
You can verify this by running adgpupdate:
$ adgpupdate Refreshing Computer Policy... Success Refreshing User Policy... User Policy disabled on this machine.
Ultimately, the system needs to have not only a valid ticket, but the attributes available to create this request.
If you let us know what OS populations (and versions) are being targeted and your ultimate requirement (the problem you want to solve) we may be able to give you an alternative.
08-07-2017 11:55 AM
08-07-2017 04:19 PM
This doc indicates what is needed, specifically for 802.1x
Take note to the User auto enroll cert portion. Note that the subject name and SAN are determined by the template that you use. You will also need the AD GPO for user auto-enroll of certificates.
Once these are in place, the certificates will auto enroll. If you are also using a GP to configure 802.1x, you will also create the 802.1x GPO as well.
Here is additional info, which also includes troubleshooting.
Regarding other services, such as VPN, you will probably want to set the GP to "Allow specific applications to access the auto-enrollment private key(s)" as well. More info can be found here;
I hope this helps!
Have a great day!!
08-08-2017 08:00 AM
@RyanVThank you. One of your links pointed me to this article: https://centrify.force.com/support/Article/KB-4275-How-to-setup-a-user-authentication-certificate-fo...
This procedure helped solve my issue. The part I was missing was "user-certificates are now only enrolled when a user does a Connected login from the GUI login screen". This is why I wasn't seeing the certs show up when issuing a adgpupdate.