Understanding Active Directory - Active Directory Certificate Services CS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back we are off on our next module active directory domain or certificate services after spending some time on active directory domain services we're going to dive right in and get an overview of certificate services what it is what it does and how it works a little bit adcs what is it what does it do for us or provide for us overview of active directory certificate services as i mentioned before when i started off this course adcs is relatively in theory simple all it does is manage certificates that's it however to get to the point where managing certificates with all the things certificates do and how they can do it how important they are and the infrastructure possibilities for managing them it is a complicated piece of technology in in any environment overview of active directory certificate services what is a certification authority how hierarchies work options for implementing options for integrating cs and domain services that we just learned about and a demonstration some of the tools is a certification authority it's an entity entrusted to issue certificates that's it it is in this instance essentially a computer that we have said this computer is going to be allowed to issue certificates to individuals or users computers servers the organization network devices in some cases if necessary or required or requested these certificates verify the identity and other attributes of the certificate subject to other entities now a lot of this module is going to actually be spent on pki as an idea and not so much on the technicalities behind active directory certificate services only because that background is very necessary for how the pieces of certificate services work once you have that background certificate services is much much simpler not that it is simple overall but it is simpler once you have an idea of pki how ca hierarchies work they include a root ca or certification authority and one or more levels of subordinate cas optionally you don't have to have subordinate cas there are plenty of reasons for deploying more than one all of them listed here usage oop go back certificates may be issued for a number of purposes secure email secure web servers pure user verification identity verification you may want to segregate your certification authorities to issue certificates just for those particular uses organizational divisions as we talked about earlier you might have a number of different organizations or teams or groups within your overall organization that have different functions different requirements different i.t teams even possibly and you need those teams to independently manage certification services geographic divisions that one is very similar to organizational divisions but physical geographic locations load balancing i might want to make sure that i don't overwhelm anyone certification authority with request with revocation with management so i may have a number of different certification authorities a number of different servers in the hierarchy to provide for that that load balancing high availability there are key crucial servers in active directory certificate services that have to be available you have to have them for it to function correctly without that you lose the validity of the certificates that are attempting to be verified and your certification is is essentially for naught and to restrict administrative access just like everything in microsoft software and tools we have the ability to very very granularly control delegation of administration i can allow different users of different types or different administrators of different types to manage different aspects of the infrastructure and that may be a reason to have different hierarchies within my certification authority when implementing a certification authority solution you can use an internal private ca or an external public ca these are very different options an external public ca i don't manage i send a request for a certificate that's pretty much it i go to any major commercial service i say i want a certificate for purpose x here's the information that pertains to that certificate depending on what that certificate is or how important it is there may be independent verification provided by that third party that i am who i say i am and then they're going to issue me a certificate a very good example of this would be any public website secured with ssl https at the beginning of a url those certificates are issued by third parties the reason for that is that every computer is deployed with a preset list of trusted certification authorities in the world that certificates issued by will be valid if i create my own internal private certificate certification authority i don't have that trust built into the system i can't create a website attach a certificate to it that i've issued myself have someone from outside of my organization go to that website and have them not get a certificate error their computers don't have a store of my internal certification authority and its trust to the world that's our biggest difference between these two internal cas are less expensive and provide more administrative options but the issued certificates are not trusted by external clients the world at large doesn't know about them i personally use a mix of both of these in my day-to-day operations even at home i host some websites for myself and for associates of mine i've used external certificates for some i've self-issued certificates for some options for integrating active directory certificate services and active directory domain services enterprise and standalone these are the two types of certification authorities you can stand up in active directory sort of certificate services a standalone certification authority is a server you install the roll on and you can issue certificates it is that simple what you lose out on is what's in the enterprise column you don't have group policy for trusted root propagation and i'll have to explain that for a moment as i mentioned every computer when built when deployed with in this case we'll stick with microsoft windows operating systems on them there is a list of trusted certification authorities worldwide built into that operating system my internal certification authority isn't on that list by default so for me to be able to use certificates that i've issued internally without having trust issues i can use group policy i can populate that trusted list on all of those workstations with my certification authority it tells those clients any certificates issued by me are to be trusted that's our first advantage of an enterprise ca publisher certificates and crls to adds this is one we're going to learn more about as we go through this module the simple explanation is certification authorities maintain lists of certificates that have been revoked and clients check those lists to make sure that when they're getting a certificate as validation of identity that they're still valid that they are still legitimate certificates i can use active directory to store and distribute that list as opposed to other mechanisms built within certification can enforce credential checks during enrollment if i want to get a certificate i can make sure that i christopher chapman am the one getting that certificate and not someone else pretending to be me getting a certificate with my name on it can i have subject name generated automatically from logon credentials this has to do with certificates matching when issued a certificate the name being verified has to match the subject name of the certificate for it to be valid certificate templates those are preset templates for preset purposes that i can either decide to issue or not issue and control different options of and we'll talk about that more in in further slides can be used to generate smart card windows domain authentication certificates i can't do this without active directory domain services i have to have an adds integrated cs implementation to do smart card windows authenticated log on and can use certificate auto enrollment what this means is as a user or as a computer i can designate that when that computer comes online it automatically gets a certificate for whatever purpose i might want one for we are going to install this roll i'm going to jump into a demo real quick and install the roll and then we're going to take a look at the tools for managing right off the bat and here we are in the demo environment this is a server i've prepared ahead of time it has the domain services role pre-installed but not certificate services we're going to go ahead and run through that installation just you can get a look at what it what it takes we're going to click on add roles and features in the server manager window brings up our our prerequisite information box it is again a role based installation and it is on the local server we're going to install active directory certificate services as per other installations of active directory roles there are prerequisite features that have to be installed server manager warns us about these features and lets us know what it's going to be installing and next brings up the features window again with those features asked for in the prior step already pre-selected another information screen just letting us know a couple of things there is a note right here that's relatively important the name and domain settings of this computer cannot be changed after a certification authority has been installed if you want to change the name join a domain or promote this server to domain controller complete these changes before installing the certification authority role we're going to go ahead and continue forward we're not planning on making any changes during this course to the name these are the role services i am going to install most of these all of them come with additional features so we're gonna have to click this a couple of times and if i remember correctly i can't actually install or can't configure all of these right away after this installation is done we'll look at that once they're installed another information screen this has been put here as a as a requirement of the features that we just got selected as i selected the roles it gave me prerequisites iis was on that list of prerequisites so a step has been added to the add roles and features wizard in that process i can once again make changes but the options that i absolutely need for certificate services have already been selected i can restart automatically if required i'm not going to select that i'm just going to install this wizard again as mentioned in prior modules we can close without interrupting any tasks once it's gotten started i can close this the installation is going to continue in the background independently of anything i'm doing i am going to switch over to another computer that already has the role installed because we don't need to wait for this portion so here i have a server up and running server manager open that has adcs already installed on it same dashboard window it's going to give us servers with this role installed in this case there's just one and any events that have happened in regards to this particular role or service unlike active directory we have the active directory administrative center it's a new tool that microsoft has provided to centralized management of the active directory tools provided certificate services we still have a number of different tools to use the complication with these tools or talking about these tools is that they're actually very dependent upon each other the first one i've opened is the certification authority tool it's connected to the local machine right here and this is all it gives us certificates that have been revoked certificates that have been issued requests for certificates failed requests and the templates that this certification authority is currently authorized to provide it's relatively basic this is our our main source of information about our certification authority so from here we've seen what these options are for the next step of management actually stems from this console on certificate templates right click there's a manage option what that's going to do is it's going to open up another console in a new window for managing our certificate templates it's in this console that i can modify the certificate templates that can be issued by my certification authority this is another slightly complicated step in that i don't select which templates to issue from here this for instance is where i would modify a web server certificate template properties and i could make changes to some options in here for instance there are no computers in here so i can't issue a web server certificate to a web server directly i could modify that i could add computers and i could select a computer to issue a certificate to so server dc is in that list enroll or i'd add a server web or whatever the name of my web server is select the enroll option click ok all i've done is change the template i still can't issue that certificate to a web server i then have to return to my certification authority right click on certificate templates again new template to issue this lets me select from those templates which one i want to issue now in this case i already have a web server certificate here so i would actually have to remove the one that exists and then re-select it with the changes to issue that certificate template again not going too deep into this this is another topic that we could spend days and days on if we wanted to so our tools so far we've looked at the certification authority tool we've looked at the certificate templates tool now we want to look really quickly at certificates themselves if i'm a user or i want to look at the certificates issued to a server a domain controller whatever the case may be how do i find that information the quickest way is to open up the microsoft management console a run window a command prompt or just the start button and type mmc it's going to give you your mmc option your microsoft management console option and you can launch it now it's empty there is no out of the box button icon option for opening just a certificate's snap in you have to open the mmc and add the snap in and the reason for that is that when you add the certificate snap into a management console you get to select your scope what do you want to manage certificates for yourself a select service or a computer i'm going to say my user account in this instance just for the sake of the demo and now i get a view of the certificates that have been issued to me as a user in this case file recovery that's all i have the list i mentioned earlier of third-party certification authorities out in the world that issue certificates that my computer or my account trusts automatically exists right here trusted root certification authorities certificates issued by any of these organizations that are used to verify identity or encryption or whatever the case may be i'm going to trust those certificates if they're issued by these issuing certification authorities in the world now in this case i have additions this is my certification authority it's been added here automatically because it's an enterprise certification authority my domain as soon as i installed it issued out a policy to add this authority to this list for my internal users and computers if i were to add the snap in for the computer that i'm using you see the same list in personal you're going to see something a little bit different because this server is a certification authority it's been issued a certificate by itself to issue certificates if that makes sense to issue a certificate you have to be issued a certificate by a certification authority in this case because it's an internal certification authority we've issued that ourselves we also have client authentication as a domain controller and a web server certificate that i created and installed as part of the deployment of the web enrollment role which we'll talk about in future slides i'm going to not save this console and we'll come back to that later the only other tool we have for managing active directory certification or certificate services is the online responder snap in an online responder is an alternative to a certificate revocation list i'm just going to show you the tool you can take a look at it we haven't covered what this topic is or what certificate certificate revocation lists are yet so we'll come back to this in a later demo and take another look and there's one more i did forget to mention i'm going to open a console one more time and we're going to add one more snap in this is a tool left over or not left over but that's been in use by microsoft for some time since the server resource kit was issued back for server 2000 i do believe used to be called pki view and is now called enterprise pki this is basically a monitor for your certification authority all this tells you is information about your certification authority it tells me that the certificate's good it hasn't expired it tells me locations for certificate revocation lists these are all topics we're going to cover in subsequent lessons but this is just a quick view at a tool that gives me a health check of my certification authority and my certificate my entire pki at this point my whole public key infrastructure in my organization we're going to jump back into our presentation and continue on so we covered certification authority certificate templates the online responder which will come back to enterprise pki and certificates themselves understanding active directory certificate services certificates this is where we go more into the theory behind this technology what these are what they do why we use them and then at the end we'll tie these tools back together into how they manage these certificates and what they're used for digital certificates it's a file it's a file that has two parts to it basic information about the certificate and the holder name location organizational information and a key this on this slide says public key it's not always a public key it may be a private key but these are the two parts to any digital certificate digital file public keys are distributed to all clients who request it private keys are stored only on the computer from which the certificate was requested if i happen to have a web server and i want that web server to provide ssl encrypted services to the world i'm going to get a certificate for that server that contains basic certificate information as outlined on the slide and a private key there's also going to be with that a file containing the same information and a public key that is what goes out to the public when they access that web server for the sake of making sure that data is encrypted before it's transmitted to my web server we're going to cover that in more detail actually right now i set up a web server i request a certificate i'm issued a certificate i install that certificate onto the web server and it's available to the world when a user requests and this works both directions requesting or submitting information that information is in plain text the private key is used well either the private or public depending on the direction you're flowing are used to encrypt that information it then as you see here is ssl encrypted that's what you see if a good example this is any website collecting personal information which hopefully should be using ssl and if it's not you probably shouldn't be submitting personal information should have ssl enabled https at the top the lock in the status bar and what it's doing is it's encrypting this information with a key i can decrypt that information on my end to read it or i can use the public key to encrypt it if i'm submitting and then the private key is used to decrypt it before it's actually sent onto the web server on the backend but as it transits the public internet between these two sources it's encrypted and cannot be read by third parties it's a very broad overview of the process in this case of just a web server certificate i am going to do a quick demo similar to the web server explanation i just gave but a little bit different in that it's going to allow me as a user to witness more readily encryption using digital certificates so as the administrator on this computer i'm going to open up the mmc that i had opened before so that we can take a look at the certificates that have been issued to me as a user my user account and okay and again prior all we saw was this file recovery i'm going to minimize this and we'll come back to it in just a minute i'm going to create a text document and in that document i'm going to put some extraordinarily confidential information that no one else should ever be able to read except me and those that i designate save and close one of the sort of basic functions of windows and has been for a long time is the ability to encrypt individual files in advanced on my general tab in the properties of my data encrypt contents to secure data and i click ok and ok again you're encrypting a file that's in an unencrypted folder if this file is modified the editing software might store a temporary unencrypted copy of the file i'm not going to get into the technical details of that but it is possible if you're editing a document in an unencrypted folder that a temporary copy of that document is actually what's modified by the software and is accessible in the meantime it gives me an option right here encrypt the file in its parent folder i've got this on the desktop so i'm not going to do that this is a smaller demo we don't have to worry about that in this case and it's done nothing really appears any different if i come into advanced it is encrypted what's different is i now have a new certificate as soon as i encrypted that document i was issued an encrypting file system certificate the process by which efs works in terms of encrypting the document all of the algorithms used and the process is a well-documented process we're not going to cover it in this course because again as is at a much technically deeper level knowing those steps and what they should be or what they are in this case so we won't get into that but this is a great demonstration that pretty much anybody can do on having a certificate issued and having it used to encrypt contents of a file and on to our next topic certificate templates this is one that we talked about a few minutes ago we saw the tool used to manage templates and very briefly looked at one of those templates and how to modify some of its settings certificate templates and what they are they define what certificates can be issued by a certification authority they define what those certificates are used for and how they're used in some cases within those roles there are other options you can set define which security principles have permission to read and roll and configure the template themselves there are a number of different templates we saw one just now issued to the administrator a basic encrypting file system certificate earlier we saw me modify a web server certificate those are just two of the examples of a number of examples that exist in that certificate template snap in of the types of certificates we can issue modify and decide to use or not use in our enterprise implementing certificate enrollment and revocation so once we've got our certification authority up and running we've created our templates we've modified our templates we've published our templates to that certification authority we now have to set up how do we want users and computers to get those certificates and how do we want to make sure those computers and users know when other certificates have been revoked or have been cancelled essentially certificate enrollment is the process of getting a certificate from a certification authority attached to your user account a computer account or a service there are multiple options for enrolling a certificate we're going to go through a couple of them here some of them we won't actually demonstrate but we are going to take a look so our next demo is just that so here we are back in our demo environment and we're going to use web enrollment to enroll for a certificate one of your certification authorities you'll designate as a web enrollment certificate or a web enrollment provider in this case i'm using the same server i have a single server instance in this case and that's going to bring up this interface this is web enrollment request a certificate a user certificate i as a user i as a user can only select a user certificate and this website knows that i'm a user requesting one i can submit an advanced request which i could do on behalf of something else but for now we'll hold off on that we'll come back to that in a minute i want to use a certificate a little warning comes up that says that this website must be used in https in order to complete certificate enrollment the website for the ca must be configured to use https and that is actually for the whole purpose of what we're doing they want to make sure they being microsoft in this case that when i as a user am requesting a certificate which is built for identity verification and encryption and non-repudiation and other security factors they want to make sure that i'm getting that certificate and requesting that certificate in a secure manner so i click ok and right now there's no submit option i'm not using ssl let's go back and we will add ssl same screen click the request this website is attempting to perform a digital certificate operation on your behalf me the user you should only allow known websites to perform these operations in this case this is my website so yes this time the submit option exists there are more options for this certificate we're not going to get anywhere near those details today i click submit again attempting to perform this operation on my behalf and they've issued me a certificate now this certificate does not exist in the certificate store that we looked at earlier and i'll bring that back up real quick for my user account and we'll open up personal certificates we have the encrypting file system certificate from earlier we have the original file recovery certificate the one i was just issued has not been attached to me as a user on this computer yet i have to install it i click the link it takes care of that for me i now have in this case it's a user certificate the pre-built template that's called user certificate here at the bottom where it says certificate template name if it will let me expand that out user now user and basic efs even though they're different templates in this case you look at intended purposes they're similar but not the same the basic efs certificate is for encrypting file system the user certificate is for encrypting file system and additional functions and that's the one i now have and that is the demo on enrolling for shift via the web for a user we're going to jump back into the powerpoint presentation and pick up where we left off so administering certificate enrollment uh to obtain a certificate using manual enrollment this is a little bit different than the web enrollment we just saw which was relatively automated you create a request submit a request obtain approval and retrieve it from the ca what this would entail and this is a process you may see with third party certification authorities is filling out a number of forms a series of forms creating a file that file either gets pasted into the contents of that file they get pasted into a box via a website or the file gets sent off and that is your request and that request gets put on a server waiting for an administrator to approve it this can also be done in the methods we were just using you submit it an administrator has to approve it once they've approved it you then go to that certification authority and pull that certificate down off of it and install it into your certificate store there is a demo here for that as well we'll jump right into that so we're going to close this out nope go back home in our web enrollment form request a certificate very similar to what we did before or submit an advanced one so here this is where you'll see the option submit a certificate request by using a base64 encoded cmc or pkcs number 10 file or submit a renewal request by using a base64 encoded pkcs number 7 file these are generated through other certificate request mechanisms i'm going to once again open up our mmc for personal certificates issued to my user account all tasks request new i also have advanced create custom here i can select the policy that i want to apply to get the certificate i only have one policy we're not going to go too deep into certificate enrollment policy what template do i want to use and again this is a user so i'm just going to use the user certificate template we used before but in this instance instead of submitting this directly to the certification authority i'm going to put it into one of those formats just mentioned in the message click next all my details are here click next again where do i want to put my request file and we'll call this certificate finish no real feedback but here's my request this is now a file that can be used to request a certificate from a certification authority based on the criteria i entered this is what a certificate request looks like the reason i bring this up is because from time to time depending on the configuration of the the certification authority you're trying to get a certificate from and this may pertain to third parties you may have to actually copy and paste this text from the file into another window instead of submitting the file now since we've done this since we have the file here we're going to go back to web enrollment one more time log in again request a certificate submit advanced and here we're going to use that second link submit a certificate request using a file it's going to ask me exactly what i just mentioned which is not to attach the file but to put the request directly into this box i'm going to cheat a little bit open up my desktop via the run line open that file back up copy its contents paste them into here again it's a user template and submit and it's done the ca has now issued me a new certificate based on a request generated externally and then copy and paste it into a request window in the web enrollment tool this step we have a couple of options i can download the certificate from this page if i don't for some reason oh i got my certificate i don't need it i just close this i can still get that certificate from the certification authority snap in because all issued certificates are tracked here as an end user i won't have access to this but as an end user if i requested a certificate and then closed this window and i'm unable to download that certificate i can have an administrator give me that information you can actually see the request i just submitted right here at the end user there's an id a serial number time submitted and i can export this if i need to i'm going to download this for potential later use and that is our demo on requesting via a file a certificate and we are on to the next slide post demo we did talk about administering certificate enrollment this is what we just did creating submitting obtaining approval and retrieving in this case the step we skipped was approval we don't have the certificate template set up so that when our quest is submitted an administrator has to manually approve it that is one difference there is a demo here on how to administer requests i'm going to skip this demo in the interest of time we've seen all the steps for require for requesting and enrolling for certificates i can say that once a request has been made in that certification authority window you open up that snap in there's a pending requests folder it's in that folder as an administrator that you would go to look at requests that have been submitted and not approved automatically or by another administrator and approve them and issue those certificates to those users or devices options for automating so this relates to what we've just been talking about i can select a number i have a number of different options as an administrator i can tell a certificate template to allow users to enroll and approve that enrollment which we've seen i can tell it that an administrator's approval is required which we haven't seen but we've talked about or i can go a step beyond the first option and tell my network my domain to automatically issue certificates of given types to given objects computers or users or network devices automatically without them specifically enrolling for those certificates right here on this slide we talk about it group policy in my domain triggers an automatic request for a new computer or a new user auto enroll is enabled on the template from which the request certificate is created and it's issued automatically certificate revocation is what happens when i as an administrator decide that a certificate should no longer be valid that could be for any number of reasons a user no longer with the organization a computer taken offline there are various reasons for a certificate being revoked clients can ensure the certificate has not been revoked by using the following methods the online certificate status protocol responder service or the online responder or the certificate revocation list we saw i'll actually jump to the next slide because it's a demo and we'll go right into that demo real quick so we're back here in the demo environment and we're going to take a look at certificate revocation as it applies to the tools we've already used we have a certification authority we've seen this tool a couple of times at this point we have our issued certificates this will be a good starting point for me we have a number of certificates issued to administrator in this case a number of certificates that are essentially the same and for whatever reason we'll say that user has left the organization amicably not amicably under whatever circumstances we want to make sure that this certificate is no longer honored for its purpose all tasks revoke are you sure you want to revoke it give us a reason and a date and a time in this case we can say change of affiliation the user is no longer with this organization and yes the certificate vanishes from here and has now been placed into revoked certificates what this means is that if that user were to attempt to log on to these systems and access encrypted information decrypt an encrypted file because this was an efs certificate it would not work because as soon as that operation is attempted it's going to check with the certification authority on the validity of the certificate being used to do that operation the certification authority is going to look at this revocation and say that certificate's no longer valid you don't get to do that a good example of this where options are given to end users if you have a website that is encrypted with ssl or is using the ssl protocol and does not have a valid certificate you'll get a warning window saying this certificate is invalid and there may be for any number of reasons there are a number of possible reasons that that happens on a relatively regular basis but in that instance you have an option to continue anyways using an invalid certificate or stop the operation you're attempting to to do and that is the end of the revocation demo that's how you revoke a certificate and how the server stores information about those revoked certificates we're going to get into further details in just a little while so now you've seen how to revoke certificates and monitor our manage revoke certificates that actually wraps up the module on active directory certificate services we've covered the various different tools used to manage we've covered the installation again very high level what it is what it does how it works so that concludes active directory certificate services we've seen the tools we've gleaned some ideas on what they're for how they're used how they're managed again as an overview that many many many further details on active directory certificate services like domain services it is a very deep topic full of days of its own content and hopefully you keep monitoring microsoft virtual academy right here and we will be providing more content on this topic in the future you

Info

Channel: IT Refresher Courses

Views: 2,370

Rating: undefined out of 5

Keywords:

Id: D8cffeiovvc

Channel Id: undefined

Length: 47min 40sec (2860 seconds)

Published: Wed Nov 25 2020