How to Configure Automatic User Certificate Enrolment in Windows Server 2016/2019

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey what's up guys welcome to mb tech talker my name is matt in this video i'm going to show you how i set up automatic user certificate enrollment in active directory using group policy within windows server 2016. once configured you'll be able to use the issued user certificate to grant access to resources that the network or applications so if you haven't seen my how to install microsoft certificate services video make sure you watch that first as it shows you how to configure a root certificate authority and as a prerequisite to this video in this video i'm going to be using my lab windows 2016 active directory server with certificate services installed acting as the root certificate authority for the domain this configuration is identical in windows server 2019 i will also be using a windows 10 client machine to test the computer's certificate auto enrollment on both machines i will be logged in with a domain administrator account okay so let's get going with the lab i'm already logged into the windows 2016 server if we go up to tools and then go to active direct users and computers we expand the local domain which is the mbe tech local domain and as you can see i've already created a security team oh ou which contains two additional ou's a computer accounts oh you and a user accounts ou in this lab i'll be concentrating on the sec admin user accounts the plan here is to apply a group policy to these specific unit users in the ou instead of the whole domain if i click on the user oh you you can see we have sec admin 1 and sec admin 2. both easy users are a member of the sec admin group so these users will be issued with a user's certificate via the automatic user certificate enrollment so if we open up sec admin one um just something to point out that under the general tab i have defined an email address this isn't being used i don't have email running in the lab but this this is important to make sure this field is populated otherwise you could get a failed certificate request so i just advise adding an email in there essentially there are four parts this video part one i just walked you through where i had created the ou the security group to find the users added the users to the security group talked about the email address part two will be the creation of a new user certificate by duplicating an existing user certificate template part three will all be all about creating and linking the gpo to the ou and then part four will be to verify that the users receive the issued certificate via the auto enrollment let's move on to the next step so what we need to do is go to tools and then we want to go to certification authority this is where we're going to create a new user certificate by duplicating the existing user template certificate so let's maximize this expand it root ca and then highlight certificate templates right click manage this is all the predefined templates within the ca we're interested in the user template so we're going to highlight it right click and duplicate the template i'm going to go to the general tab and i'm going to give this a name so sec admin users and then what i'm going to do is go to the cryptography tab and i'm going to increase the minimum key size to 4096. i know this is a lab but this is just a habit for me so next we're going to go to the security tab and then domain users we're going to remove the enroll permission we'll allow them to read it and then we're going to add the sec admin object so if we search for that sec admin so this is the sec admin group and then click ok and we're going to allow them to uh make sure it's read enroll oh let's click okay there read enroll and auto enroll make sure those are all ticked and then gonna click apply and then okay now let's issue the certificate to the certificate authority so the ca can distribute it to the users in the sec admin group to do this we will just minimize that screen and then we're going to go to highlight certificate templates and then we're going to click new certificate template to issue and then we need to find the certificate which is called second admin users and then click okay okay so let's move on to step three let's create and link the gpo to the sec admin ou let's minimize that screen and then in the server management dashboard we go to tools and then we're looking for group policy management let's expand the forest and the domain and the group policy objects and let's highlight the group policy objects right click and new let's give it a name so i'm going to call it sec admins users certificate auto enrollment gpo and then click ok so now we select that policy and we're going to right click click and edit and then what we're going to do here is just make the screen bit bigger and expand this out so we can see what's going on and then this configuration is under user so expand the policies and then windows settings security settings and then we're looking for public key policies and if we actually click on that and what we're interested in here is certificate services client auto enrollment so if we open that up as you can see the configuration model is not configured so we need to make sure we innately it's enabled and then we're going to renew expired certificates and update certificates and then we're gonna apply and then okay and then we can close that console next we need to add the new gpo to the second using the user account so let's select the ou and expand it and then let's go to the sec and admin user accounts and then right click and then link tuning system gpa and now what we're looking for is the sec admin user certificate auto enrollment gpo and then click ok so that has now been successfully linked to the ou okay so now it's time to log into the windows 10 client and now we can see if the auto enrollment has been successful and a certificate has been issued to the user so what we're going to do is open up an mmc console and we're going to add a new snap in and we're going to select certificates click add i'm just going to do it for the user account click finish and okay and if we expand the certificate folders and then we're looking at personal certificates and we can see we've got a certificate folder which is a a good sign so if we click on that we can see a certificate has been issued to sec admin um successfully and it was issued by the ca and it's got an expiration date of 2022 and it's the intended purposes for client authentication and what else i wanted to show show you was if we go back to the windows 2016 server and then we go to the issued certificate and we can see that we've got these two new certificates been issued by the ca 34 and 35 one to the sec admin one user and the other one to the sec admin two and um it was issued um to the security team oh you and to the sec admin user accounts and then finally if we go on certificate templates and we manage and then we look at the template that we created so if we look for the sec admin and we highlight it and then go to properties if we take a look at the subject name tab you can see here it says um subject name format fully distinguished include email name in subject name and include this information the alternate subject name and you and this is what i was talking about earlier that because this is ticked this is why you need to make sure that in your user account you've got an email address defined um if you didn't want to do that then obviously this is exactly where you you you untick this and that will not show up and you will not get any failed requests so this is the whole purpose of duplicating the predefined templates this gives us all these extra parameters and settings and configuration so that we can finally tune certificate to the way we want it so yeah that's it then that's everything i wanted to um demonstrate um i hope this is uh been useful and uh i'll see you in the next video okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks [Music]
Info
Channel: MB Tech Talker
Views: 79
Rating: undefined out of 5
Keywords:
Id: veEVjYTpub4
Channel Id: undefined
Length: 11min 14sec (674 seconds)
Published: Wed Sep 29 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.