Salesforce

KB-2798: How to setup a workstation-authentication certificate for auto-enrollment for Mac OS X.

Printable View
« Go Back

Information

 
TitleKB-2798: How to setup a workstation-authentication certificate for auto-enrollment for Mac OS X.
URL NameKB-2798-How-to-setup-a-workstation-authentication-certificate-for-auto-enrollment-for-Mac-OS-X
Knowledge Article TypeHow To’s
Article TypeKnowledge
ArticleType 
ProductMac Management
Component 
VersionAll
Tagsauthentication certificate, auto enrollment, mac, OSX
Internal Comments
Article Edits8/19 - KB was in draft so getting it re-published.
Bug #39640
Solution ID2798
Knowledge Base Article Details
Questions:
What is the configuration necessary for Mac systems to successfully receive auto-enrolled workstation-authentication certificates?

Answer:
On the CA server: 
  1. Go to the Start menu > Run > mmc.exe > File > Add/Remove Snap In...
     
  2. Add > Certificate Templates
     
  3. Add > Certificate Authority > Select Local (or the target CA to be configured) > OK
     
  4. In the console, go to Certificate Templates and duplicate the Workstation Authentication certificate (right-click > All Tasks > Duplicate Template):
     
    User-added image
     
  5. Give it a meaningful name, e.g. "Mac Auto-Enroll Certs" and then configure the following properties:
    • Extensions tab > Application Policies > Edit... > Add... > Server Authentication
      (Client Authentication should already be in the Application policy list)
       
    • Subject Name > "Build this from AD information" >
      • Subject name format: Common name
      • Include this information in alternate subject name: DNS name / User Principal Name
        (Note: Some environments may require one of, or both of these alternate names enabled)
    • Security tab > Allow Enroll & Autoenroll permissions for the appropriate AD groups
      (i.e. Domain Computers)
       
    • Note: Additional properties may also be need to be configured; depending on the target environment and desired usage of the certificate.
       
       
      User-added image
       
      User-added image
       
      User-added image
       
  6. Go into the Certification Authority section > [domain] > Right-click on Certificate Template > New > "Certificate Template to Issue" > Scroll to the newly created template and add it to the list.
     
    User-added image
     

     
  7. Enable the Group Policy at:
    • Windows 2003
      • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings" 
    • Windows 2008
      • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings" 
    • Select the renew and update options as needed.
       
  8. Go to the Mac and pull down the certs immediately by opening the Terminal and running:
     
    sudo adflush
    adgpupdate
     
  9. When the operation completes, check that the certificates have been downloaded into Keychain Access. They should also appear in the location: /var/centrify/net/certs/
     
  10. Check also on the CA server by looking in the Certification Authority (certsrv.msc) and looking the Issued Certificates folder.
 
 
Note 1: 
 
Support for using this type of certificate for authenticating into 802.1x networks was introduced in Centrify Suite 2013.2 (Mac agent 5.1.1). For further configuration steps on how to setup the 802.1x authentication profile via group policy, please the Centrify Admin Guide for Mac OS X:

Note 2:

For auto-enrollment of user certificates, see:

Note 3:
 
See also the following KB for troubleshooting tips:
 
Created ByArticle Admin
Solution CreatorBrian Lau
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by