Categories
End User Computing VMware Workspace ONE

Workspace ONE AD CS Integration for SSO

Installation & Integration

The first step of integrating your AD CS server with Workspace ONE UEM, is to of course, have your AD CS role setup. I’ve created videos for those who are more visual to guide them along the steps required.

Adding the AD CS Role

  1. Navigate to Server Manager
  2. Select “Add roles and features”
  3. For “Installation Type”, select “Role-based or feature-based installation”
  4. Select the server you want to install AD CS on
  5. Select the “Active Directory Certificate Services” Server Role to add
  6. Confirm to add the features required for AD CS
  7. On the AD CS Role Services, click the checkbox for “Certificate Authority”
  8. Confirm and allow AD CS to be installed

Post-deployment AD CS Configuration

  1. Navigate to Server Manager
  2. Click on the “Notifications” flag, and click to configure the Post deployment Configuration
  3. Select the account with sufficient privileges to install the CA role service
  4. Click on the “Certificate Authority” checkbox to install
  5. Confirm that you are installing an Enterprise CA
  6. You will need a Root CA, so check that you have clicked on the “Root CA” radio button
  7. “Create a new private key” if you do not have an existing one
  8. Choose your preferred cryptographic provider, the key length, and the hash algorithm. You will need to provide this information later.
  9. Enter a common name for your CA. You will need to provide this information later.
  10. Select the validity period for the Root CA cert
  11. Specify the Certificate Database location path
  12. Confirm the details, and click on “Configure” to install

Creating a Service Account for AD CS

  1. Navigate to Active Directory Users & Computers
  2. Under your domain, right click on the “Users” container, and under the “New” sub-menu, click User
  3. Create the service account by filling in the appropriate fields

Provide Permissions for Service Account

  1. Navigate to the “Certificate Authority” console
  2. Right-click the CA you configured, and click “Properties”
  3. In the “Properties” window that opened, under the “Security” tab, add the service account you’ve created in Step 23 to explicitly provide the required permissions
  4. For the service account, you will need to give it “Read”, “Issue and Manage Certificates”, and “Request Certificates” permissions
  5. Click Apply and Ok to confirm

Creating a Certificate Template

  1. Open a Command Prompt/PowerShell window to enter the following commands. These commands will allow the CA to use Subject Alternative Names (SAN) in their certs.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
  1. Navigate to the “Certificate Authority” console.
  2. Click the ‘+’ sign next to the configured CA to expand the sub-folders
  3. Right click on “Certificate Templates” and click “Manage”
  4. Locate the pre-defined certificate template named “User”, and right-click, and click on “Duplicate Template”
  5. In the Properties window that appears, there will be a number of items that needs to be changed.
  6. Under the “Compatibility” tab, select the oldest version of Windows Server you are using (to maintain backward compatibility)
  7. Under the “General” tab, enter the your desired display name, as well as the template name. Take note of the template name here as you will need it later.
  8. Under the “Request Handling” tab, select the purpose of the certificate. Ensure that the “Allow private key to be exported” checkbox is selected
  9. Under the “Subject Name” tab, click on the “Supply in the request” radio button. Click Ok to accept
  10. Under the “Extensions” tab, highlight “Application Policies”, click “Edit’, and click “Add”. Look for “Client Authentication” and click “Ok”.
  11. Under the “Security” tab, add the service account user created in Step 23 to explicitly provide it with permissions to Enroll the certificate.
  12. Click “Apply” and “Ok” to confirm the configurations. You should see the duplicated Certificate Template with the display name you configured in Step 36.
  13. Going back to the “Certificate Authority” console, right-click on the “Certificate Templates” sub-folder, and under “New”, select “Certificate Template to Issue”.
  14. In the “Enable Certificate Templates” window that appears, locate the Certificate Template you’ve just created in Step 41. Highlight it, and click “Ok”.

Integrating AD CS

  1. Going back to the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities
  2. Click on “Add” to integrate a Microsoft AD CS server with Workspace ONE UEM
  1. Fill in the fields with the appropriate values in the “Certificate Authority – Add/Edit” window that comes up. Click on “Test Connection” after filling in the values. It should come up as successful.
Certificate Authority FieldsDescription
NameThe display name of the AD CS server in Workspace ONE UEM
DescriptionA description you can enter
Authority TypeWhich CA you are using. AD CS in our case
ProtocolAD CS
Server HostnameThe hostname in which your AD CS server is located
Authority NameThe name you have provided in your Windows Server. Same name as provided in Step 17
AuthenticationService Account
Username/PasswordThe credentials for your service account created in Step 23
Additional OptionsAs required, but not needed

Specifying Certificate Request Template

  1. After integrating the CA, you will need to specify the Request Template. At the same settings page, under the “Request Templates” tab, click on “Add”.
  1. Fill in the fields with the appropriate values in the “Certificate Template – Add/Edit” window that comes up. Click on “Save” after filling in the values.
Certificate Template FieldsDescription
NameThe display name for the Certificate Template
DescriptionA description you can enter for the Certificate Template
Certificate AuthorityChoose the Certificate Authority you integrated with Workspace ONE UEM in Step 46
Issuing TemplateEnter the template name of the template you created in Step 36
Subject NameThis is used to specify and identify the certificates created for each device
Private Key LengthThe value of the Private Key Length should be the same as what you configured at Step 16
Private Key TypeThe checkboxes you click here should be the same as the ones you have chosen at Step 37
Include Security Identifier (SID) in certificateEnabling this automatically includes the SID attribute from LDAP in the certificate subject for added security
SAN TypeUsed for additional unique identification of the certificate
Automatic Certificate RenewalChoose appropriately if automatic certificate renewal if required
Auto Renewal PeriodIf enabling automatic certificate renewal, choose the auto renewal period.
Enable Certificate RevocationEnable to automatically revoke certificate when devices are unenrolled
Publish Private KeyChoose appropriately if private key needs to be published
EKU AttributesSpecify Extended Key Usages (EKU) if required

With these 48 steps, you have configured your on-premise Certificate Authority with Workspace ONE UEM! The next steps to configuring SSO for each device platform will be documented in the next pages!

Leave a Reply

Your email address will not be published. Required fields are marked *