Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2798: How to setup a workstation-authentication certificate for auto-enrollment for Mac OS X.

Centrify Identity Service, Mac Edition ,  

25 October,17 at 06:07 PM

Applies to: All versions of Centrify DirectControl on Mac OS X 10.7 and higher
 
Questions:
 
What is the configuration necessary for Mac systems to successfully receive auto-enrolled workstation-authentication certificates?
 

Answer:
 
On the CA server: 
  1. Go to the Start menu > Run > mmc.exe > File > Add/Remove Snap In...
     
  2. Add > Certificate Templates
     
  3. Add > Certificate Authority > Select Local (or the target CA to be configured) > OK
     
  4. In the console, go to Certificate Templates and duplicate the Workstation Authentication certificate (right-click > All Tasks > Duplicate Template):
     
    User-added image
     
  5. Give it a meaningful name, e.g. "Mac Auto-Enroll Certs" and then configure the following properties:
    • Extensions tab > Application Policies > Edit... > Add... > Server Authentication
      (Client Authentication should already be in the Application policy list)
       
    • Subject Name > "Build this from AD information" >
      • Subject name format: Common name
      • Include this information in alternate subject name: DNS name / User Principal Name
        (Note: Some environments may require one of, or both of these alternate names enabled)
    • Security tab > Allow Enroll & Autoenroll permissions for the appropriate AD groups
      (i.e. Domain Computers)
       
    • Note: Additional properties may also be need to be configured; depending on the target environment and desired usage of the certificate.
       
       
      User-added image
       
      User-added image
       
      User-added image
       
  6. Go into the Certification Authority section > [domain] > Right-click on Certificate Template > New > "Certificate Template to Issue" > Scroll to the newly created template and add it to the list.
     
    User-added image
     

     
  7. Enable the Group Policy at:
    • Windows 2003
      • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings" 
    • Windows 2008
      • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings" 
    • Select the renew and update options as needed.
       
  8. Go to the Mac and pull down the certs immediately by opening the Terminal and running:
     
    sudo adflush
    adgpupdate
     
  9. When the operation completes, check that the certificates have been downloaded into Keychain Access. They should also appear in the location: /var/centrify/net/certs/
     
  10. Check also on the CA server by looking in the Certification Authority (certsrv.msc) and looking the Issued Certificates folder.
 
 
Note 1: 
 
Support for using this type of certificate for authenticating into 802.1x networks was introduced in Centrify Suite 2013.2 (Mac agent 5.1.1). For further configuration steps on how to setup the 802.1x authentication profile via group policy, please the Centrify Admin Guide for Mac OS X:

Note 2:

For auto-enrollment of user certificates, see:

Note 3:
 
See also the following KB for troubleshooting tips:
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.