Applies To: Centrify Identity Service
Administrators can configure mobile device profiles so that the identity platform installs a certificate generated either by the Centrify cloud CA or the Active Directory Certificate Services certification authority designated in the Cloud Manager (see online help section Selecting the policy management tool
The certificate, regardless of the policy source, is automatically generated and installed in the device when the user enrolls the device. When using a certificate for authentication be sure to set the “Provide client certificate” option in the profile.
If using the Centrify cloud policy service for device management policy, the Centrify cloud CA is used to generate certificates. If you’re using Active Directory group policy for device management policy, the Windows Certificate Authority server is used to generate certificates. You cannot have a hybrid in which, for example, you select the Centrify cloud policy service for device management policy but use the Windows Certificate Authority server to generate certificates.
Some configuration is necessary to Windows servers if you are using either source:
Note: This article outlines the process for creating certificate templates only for Mac and mobile devices enrolled into the Centrify Cloud Service. For Mac computers joined to Active Directory using the Centrify for Mac agent, please reference the Centrify Administrator's Guide for Mac OS X or the following Knowledge articles specific to Mac configuration and deployment:
The Centrify cloud connector and cloud service have the certificates created, deliver them to the device, and incorporate them into the authentication protocol. In many cases, especially for Exchange servers, additional server configuration is required before you can use certificates for authentication. See your server’s documentation for the details.
Note: Per Centrify Technical Support KB-4216 regarding Exchange PKI configuration, Admins may set the user’s Certificate Template on the Certification Authority and make sure that the Domain Users group in AD has the permission to auto-enroll the certificate. For general instructions for configuring Exchange 2010 authentication using PKI, see this Exchange 2010 PKI Authentication Configuration document.
Admins select certificate-based authentication in a Wi-Fi, VPN, or Exchange profile created in a group policy object using the Group Policy Management Editor. See Managing mobile device policies for the details. Before using certificates for authentication, however, Admins must first create the certificate templates expected by the cloud proxy server.
There are two certificate templates to create:
Note: The template name must be entered exactly as shown above, including the capital letters.
|• ||Computer-ClientAuth (workstation template)|
|• ||User-ClientAuth (user template) |
In some cases, you specify in the profile which certificate to use for authentication (for example, the iOS Wi-Fi profile) while others require you to use either the computer or the user certificate.
To simplify profile configuration, we recommend creating both templates. You use the Microsoft Management Console (MMC) on the certification authority server to create the templates.
Create the computer and user certificate templates:
1. Open the MMC on the Windows server with the certification authority installed. You need the Certification Authority
snap-in installed to run this procedure.
2. Expand the certification authority, right-click Certificate Templates, and click Manage.
3. Right-click Computer choose Duplicate Template.
Note If you are creating the user template, Right-click User instead.
4. Select Windows Server 2008 and click OK.
5. In the Template display name: text box enter Computer-ClientAuth.
(This automatically fills in the Temple name: field too.). Set the Validity period: and Renewal period values.
Note If you are creating the user template, enter User-ClientAuth instead.
6. Click the Subject Name tab and select Supply in the request.
7. Click the Security tab, select Authenticated Users and select the Read and Enroll permission.
8. On the same tab, select Domain Computers and select the Read and Enroll permission. (The computer(s) hosting the proxy server should also be given the Enroll permission).
Note If you are creating the user template, select Domain Users
9. Click OK and close the Certificate Templates Console.
10. In the MMC, right-click Certificate Templates, click New, and click Certificate Template to Issue.
11. Click Computer-ClientAuth and click OK.
Note If you are creating the user template, select User-ClientAuth instead
12. Verify the new Certificate Template is displayed
For additional information not covered in this guide or troubleshooting assistance, please review theCentrify Online Help
or Customer Support Portal