Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4275: How to setup a user-authentication certificate for auto-enrollment for Mac OS X.

Centrify Identity Service, App Edition ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:46 AM

Applies to: Centrify DirectControl 5.1.3 on Mac OS X 10.7 and higher
 
Question:
 
What is the configuration necessary for Mac systems to successfully receive auto-enrolled user-authentication certificates?
 

Answer:

The following versions must be installed before User Certificates can be issued using Group Policy:
  • Centrify Suite 2014 or higher
  • Centrify DirectControl 5.1.3-482 or higher

On the Windows side:
  1. Load mmc.exe with Certificate Template & Certificate Authority snap-ins.
     
  2. Certificate Template > Right click on the "User" template > Select All Tasks > Click on Duplicate Template

    User-added image


     
  3. Give it a suitable Template Name:
  4. Configure the following properties
    • Security tab
      • Domain Users > Allow Enroll & Autoenroll permissions
    • Subject Name tab
      • Build from Active Directory information
      • (Optional) Uncheck "Include email in subject name" and "Email name" checkboxes.
        (Doing this removes the requirement for the AD user to need an email address).

        User-added image 
        User-added image
  5. Certification Authority > [ domain ] > Right-click Certificate Templates > New > Certificate Template to Issue > Find the new template and add it in. 

    User-added image

     
  6. Enable the Group Policy at:

    Windows 2003
    User Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings" 
     
    Windows 2008
    User Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings" 
     
    Select the renew and update options as needed. 

    User-added image

     


On the Mac side:
  1. Log into Mac as Local Admin and open Terminal: 

    sudo adflush 

    User-added image

     
  2. Log into Mac as AD user and open Terminal:

    adgpupdate 

    User-added image

     
  3. On agent versions 5.2.1 and below - the certs should now show up in the ~/.centrify/ directory.
    On agent versions 5.2.2 and above - as part of a security enhancement, the user certs will now only download when the AD user logs in via the GUI login window. This means after running the GP update, have the AD user logout and log back in to immediately retrieve their user certs. Additionally - only the .cert file will appear in the ~/.centrify/ directory, The .key and .chain files are no longer used in the latest versions.

    ls -l ~/.centrify/ 

    User-added image
  4. You can also check the Keychain Access login keychain for the certificate:

    User-added image

Note:
  • As mentioned in Step 3 of the Mac-side steps above - as of version 5.2.2 - user-certificates are now only enrolled when a user does a Connected login from the GUI login screen.
  • This means remote users who initially do an offline cached login, and then go into Connected mode AFTER they are already logged in (i.e. VPN users) will not see their user certs at login.
  • For remote users, use the following sequence:
    1. Do a cached login into the Mac
    2. Bring the Centrify agent into Connected mode
    3. Open Terminal and run the commands exactly as shown:
      • ​For users on agent versions 5.2.2 - 5.2.3, use:
        • security unlock-keychain -u
        • /usr/share/centrifydc/sbin/adcert -u $USER -k
      • For users on agent version 5.2.4 and above, use:
        • security unlock-keychain -u
        • /usr/local/share/centrifydc/sbin/adcert -u $USER -k
    4. The user certificates should now appear in the user's Keychain Access
  • Be aware that it may be necessary to re-lock and unlock it again to "fully" unlock the Login Keychain, this appears to be a bug in Keychain Access itself.


See the following KB for auto-enrollment of machine certificates:  
See also the following KB for troubleshooting tips:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.