This is a third part of the Certificate Autoenrollment in Windows Server 2016 whitepaper. Other parts:

• Certificate Autoenrollment in Windows Server 2016 (part 1)
• Certificate Autoenrollment in Windows Server 2016 (part 2)

Configuring Autoenrollment

Autoenrollment configuration in general consist of three steps: configure autoenrollment policy, prepare certificate templates and prepare certificate issuers. Each configuration step is described in next sections.

Configuring autoenrollment policy

The recommended way to configure autoenrollment policy is to use Group Policy feature. Group policy feature is available in both, domain and workgroups environments. This section provides information about autoenrollment configuration using Group Policy editor. It is recommended to turn on autoenrollment policy in both, user and computer configuration.

1. Start Group Policy editor. In Active Directory environment, use Group Policy Management Console (gpmc.msc). In workgroup environment, use Local Group Policy Editor (gpedit.msc);
2. Expand Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Infrastructure;
3. Double-click on Certificate Services Client – Auto-enrollment;
4. Set Configuration Model to Enabled;
5. Configure the policy as shown below and save settings:

   

6. Repeat steps 2-5 for User Configuration node.

Configuration options on the dialog shown above have the following meaning:

• Configuration model

Configuration model selects the state of autoenrollment policy. When the value is set to Disabled, autoenrollment will be effectively disabled. This means that autoenrollment will not be triggered automatically and will have no effect when triggered manually. If the value is set to Enabled, autoenrollment will be triggered automatically based on internal timers. If the value is set to Not Defined, the autoenrollment status is determined by local registry information located at the following path:

Key: SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment
Value: AEPolicy
Type: DWORD

• Renew expired certificates, update pending certificates, and remove revoked certificates

When checked, autoenrollment will renew certificates when the certificate's templates are not set up for autoenrollment. Such templates are which require multiple signatures (require Enrollment Agent, for example) or which accept certificate subject information from request. In addition, this setting will retrieve pending requests which were placed in pending state for CA manager approval.

When unchecked, neither of these tasks will be performed during autoenrollment activation.

• Update certificates that use certificate templates

When checked, autoenrollment will enroll and renew certificates based on certificate templates that have been set up for autoenrollment. When unchecked, neither of these tasks will be performed during autoenrollment activation.

Configuring certificate templates

This section covers how to configure certificate templates and provides a step-by-step example of how to create a new template for the autoenrollment of a smart card. Certificate template permissions are also explained.

Default settings

The following are default settings:

• Both domain administrators from the root domain, and enterprise administrators for fresh installations of Windows Server 2003 (and newer) domains may configure templates.
• Certificate template ACLs are viewed in the Certificate Templates MMC snap-in.
• Certificate templates can be cloned or edited using the Certificate Templates MMC snap-in.

Creating a new template for the autoenrollment of a smart card

In this exercise we will create certificate template that will be intended for client authentication and secure email (SMIME). As the additional requirement, the certificate will be stored on a smart card. To create a new template for autoenrollment of a smart card:

1. Log on to a computer where ADCS Remote Server Administration Tools (RSAT) are installed with Enterprise Admins permissions;
2. Press Win+R key combination on the keyboard.
3. In the Run dialog box, type certtmpl.msc, and then click Ok.
   The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.
4. In the console tree, click Certificate Templates.
5. In the details pane, right-click the Smartcard User template, and then click Duplicate Template (Figure 14).

   

6. The Compatibility tab of the new template properties dialog box appears. Configure compatibility settings to minimum OS version that will consume this template and minimum OS version of CA server that will issue certificates based on this template.
7. Switch to General tab.
   In the Template display name field, type a unique name for the template, for example Smartcard User V2 (Figure 15). Specify desired certificate validity and enable checkboxes: “Publish certificate in Active Directory” and “Do not automatically reenroll if a duplicate certificate exists in Active Directory”.

   

   The “Publish certificate in Active Directory” checkbox should be enabled only when certificate is consumed by users and intended for Secure Email and Encrypting File System. In all other cases, this checkbox must be cleared.

   If the “Do not automatically reenroll if a duplicate certificate exists in Active Directory” checkbox is enabled, autoenrollment will not enroll a user for the certificate template, even if a certificate does not exist in the user’s Personal store. Active Directory is queried and determines if the user should be enrolled. This is an extremely valuable feature for users who do not have roaming profiles or when Credential Roaming feature is not enabled and log on to multiple machines. Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers).

8. Click the Request Handling tab (Figure 16). This tab is used to define how the certificate request should be processed. Use default settings in this tab and enable “For automatic renewal of smart card certificates, use the existing key if a new key cannot be created” checkbox.
   Since the certificate is supposed to be stored on a smart card, the “Require user input” radiobutton must be selected. If the certificate template is not going to be used for smart cards or if it is not desired for the user to be prompted to enroll for certificates, this option is not required. Machine certificates should not have this enabled or machine autoenrollment will fail.
   Note that “Delete revoked or expired certificate” checkbox is grayed out. This is because the purpose of the certificate contains encryption (Secure Email). In order to retain access to older mails which were encrypted with expired certificate, the certificate must not be removed.

   

9. Switch to Cryptography tab (Figure 17).

   

10. In this tab, you configure provider category (Legacy CSP or Key Storage Provider). Default is Legacy CSP. If your smart card provider supports key storage provider (KSP), you should use KSP instead. Specify the algorithm name, key length supported by smart card provider and provider name. It is recommended to explicitly specify provider.

    It is a common misconception when it is assumed that Request hash setting specifies the signature used to sign the certificate. Request hash specifies the hash used to sign the request only. Actual certificate’s signature algorithm is selected by CA server.

    Important: If more than one smart card CSP is made available on this tab, the user may be prompted for every CSP that is selected when enrolling for this template. The behavior may vary depending on the CSPs available on the client machine. If the user has only one smart card, the prompts for the unavailable CSPs will have to be cancelled. This behavior is by design. It is also important to select a minimum key size that is supported by the selected CSP; otherwise, enrollment will fail.

11. Switch to Subject Name tab. This tab is used to define how the subject name and certificate properties will be built. It is recommended to use the default selections when enrolling for a smart card template.

    Starting with Windows 8 and Windows Server 2012, it is possible to supply subject along with request and use subject information in existing certificate for automatic renewal.

12. Switch to Security tab. This tab is used to define which users or groups may enroll or autoenroll for a certificate template. A user or group must have the Read, Enroll, and Autoenroll permissions to automatically be enrolled for a certificate template. For more details about certificate template permissions, refer to next section.
13. Click OK when finished.

The XP Autoenrollment tab is hidden by default in Certificate Templates MMC snap-in and is obsolete as it may not reflect the correct template’s autoenrollment status for templates created with Windows 8 and Windows Server 2012 setting. However, if necessary, this tab can be added by enabling in View menu.

Certificate template permissions

For a user or computer to enroll for a certificate template, it must have appropriate permissions (ACEs) set on the template in Active Directory. The following list describes certificate template permissions:

• Read permission allows the template to be discovered by the user;
• Write permission allows a user to modify the contents of a certificate template. Note that only version 2 certificates with a Windows Server 2003 (or newer) schema may be modified. Version 1 certificate templates only allow ACLs to be modified;
• Enroll permission is enforced by the Enterprise CA when a user requests a certificate for a selected template. The Enterprise CA must also have Read permissions on a template to enumerate the template in the directory and issue certificates based on that template. Normally, the Enterprise CA is included in the Authenticated Users group, which has Read permissions by default on a template;
• Autoenroll permission is set on a template when it is desired for a user or computer to automatically enroll for a selected certificate template. The Autoenroll permission is needed in addition to the Enroll permission for a user to enroll for a given certificate template. Only version 2 templates or newly created templates may have the Autoenroll ACE set;
• Full Control permission is given to enterprise administrators and the primary domain administrators group by default. The Full Control permission allows a user to set or modify the permissions on a selected template.

Note that computer certificate enrollment using certreq.exe tool requires -adminforcemachine switch to authenticate requester as computer. Otherwise, a current user account is used to authenticate on CA server during enrollment.

A user or computer must have both Read and Enroll permissions to enroll for a selected certificate template. Use security groups when granting permissions whenever possible. Avoid permission assignment to individual accounts. Use global or universal security groups when configuring permissions on certificate templates.

Configuring an Enterprise CA

When certificate template is prepared for autoenrollment, it must be added to Enterprise CA server for issuance. This section will describe how to add certificate template to CA for issuance by using Certification Authority MMC snap-in, certutil.exe command-line tool and Windows PowerShell.

Standalone CA does not support certificate templates

Configuring CA using MMC

The most convenient way to add certificate template to CA is to use Certification Authority MMC snap in:

1. Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
2. Press Win+R key combination on the keyboard;
3. In the Run… dialog, type “certsrv.msc”;
4. If necessary, click on root node, then press Action menu and select Retarget Certification Authority to connect to desired CA server;
5. When connected, expand CA node and select Certificate Templates folder. You will see certificate templates supported for issuance by this CA:

   

6. In Action menu, select New and Certificate Template to Issue menu. In the opened dialog, select target template and press Ok to finish. Ensure that certificate template is listed in Certification Authority MMC console.

Configuring CA using certutil.exe

Built-in certutil.exe tool can be used to manage certificate templates on CA server locally or remotely:

1. Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
2. Open elevated Command Prompt;
3. If you are logged on CA server, type:

   certutil -SetCaTemplates +<TemplateCommonName>

   Replace <TemplateCommonName> with actual template’s common name. In a given example, it is SmartcardUserV2.

   

4. In order to add template to remote CA, specify remote CA location:

   certutil -config <CaServerHostName>\<CaName> -SetCaTemplates +<TemplateCommonName>

   where <CaServerHostName> is DNS name of CA server and <caname> is name of CA certificate. For example, “ca01.company.com\Contoso Issuing CA”.

Configuring CA using Windows PowerShell

Starting with Windows 8 and Windows Server 2012, it is possible to use Windows PowerShell to manage certificate templates on CA server:

1. Log on to CA server with CA Administrator permissions;
2. Open elevated Windows PowerShell console;
3. Run the following commands:

   Import-Module ADCSAdministration
   Add-CATemplate -Name <TemplateCommonName>

   Replace <TemplateCommonName> with actual template’s common name. In a given example, it is SmartcardUserV2.
4. Confirm operation if prompted.

Unlike certutil.exe tool, PowerShell cmdlet does not support remote CA management and must be executed on CA server in interactive session (i.e. locally or by using PowerShell Remoting capabilities).

User Autoenrollment

This section illustrates manually pulsing autoenrollment and smart card enrollment. User autoenrollment for a smart card requires mandatory manual steps and user interaction, unlike other certificate types. Once autoenrollment has been enabled, the user will receive an informational balloon on the taskbar at the next autoenrollment trigger interval (default of eight hours) or at the next logon.

Manually pulsing autoenrollment

Autoenrollment may be pulsed manually through the Certificates MMC snap-in. Before you start, ensure that smart card is inserted in the reader and connected to computer. To manually trigger autoenrollment:

1. Log on to the computer with the appropriate user account.
2. If Balloon User Interface appears in a system tray, double-click on a certificate image and proceed with next section. Otherwise, follow next steps to trigger autoenrollment feature;
3. Press Win+R key combination on the keyboard;
4. Type “certmgr.msc”, and press ENTER;
5. Right-click the top of the tree on Certificate\Current User, select All Tasks on the context menu, and then select Automatically Enroll and Retrieve Certificates (Figure 20).

   

It will take approximately one minute for the Certificate Enrollment balloon to be displayed, unless the registry key mentioned previously has been set. (see Balloon User Interface section.)

Smart card enrollment

1. On the Before You Begin page, click Next;
2. On the Request Certificates page, you will see the newly created template (Figure 21) and press Enroll button

   

3. When prompted (Figure 22), enter PIN to access the smart card and generate the key pair.

   

4. Follow smartcard specific dialogs (if any) provided by a smart card middleware to complete certificate enrollment.
5. Ensure that certification installation succeeded and press Finish button to finish the process.

   

The success or failure of the autoenrollment process will be logged in the Application event log on the local computer. Also, a summary dialog box will appear for failed certificate requests that involved user interaction. If a failure occurs during enrollment, the user will be notified of the failure. For example, Figure 24 shows autoenrollment failure for Secure Email certificate when E-mail Active Directory attribute of the user account is empty: