none
Advice on whether or not this cross-forest, one-way-trust, auto enroll/renew PKI setup is possible RRS feed

  • Question

  • Hi,

    I run the AD, Group Policy, and a Server 2016 CA at a university department. Another department in a second forest (dept2) wants us to take over their workstations and install SCCM on them. I need each workstation to have a PKI certificate for Native Mode.

    Dept2's forest is run by central campus and they don't have an enterprise CA set up. They have allowed their AD to have a one way trust to us, where my department is trusting their users (i.e. we are the resource trusting resource forest). However, they do not trust us in return (central campus does not do long term trusts where they are the trusting party).

    We have a great system in place for our own domain, where new computers on the domain automatically auto-enroll via GPOs and auto renew. No user/admin interaction is required for machines to get certificates. I'd like to have the same thing work for dept2.

    Based on what I'm describing, is this even possible? I found this document on server 2012, and we do already have kerberos CEP/CES, but I can't find any more resource documentation from Microsoft for 2016. That document also describes a test environment in which I have access to the other forest's domain controllers, which I am not authorized to do for dept2. I do, however, have access to dept2's managed OU, and can make as many GPOs for enrollment/renewal as I want.

    If it's not possible, what is the least-interactive way these dept2 machines can get a certificate from my CA? Web enrollment?

    Friday, September 20, 2019 3:40 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    From the article AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2, we can see:


    We can only enroll certificate manually. But it can auto renew via GPO.

    Tips: Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services is the article we mentioned in the post ( it applies to 2016).



    If we want to achieve auto enroll/renew PKI, we need to create:

    Two-way forest trusts between a resource forest and account forests.


    Similar case
    Cross Forest Certificate - External trust


    Tip: It is recommended to test our requirements in a test environment, if there are no problems, and then operate in a production environment.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 10:08 AM
    Moderator
  • Thanks Daisy. That's what I figured; without a two way forest trust, automating via the built in group policy objects won't be possible. I assume the auto-renew you describe is the key-based one that is described here?

    Can you link to any documents or videos describing that initial, manual certificate enrollment for the 2nd forest's workstations? I'd like to get an idea of how manual and involved the process is; so far, in my testing, I made one test certificate on my CA for a single machine in forest2, using these steps. It took about 5 minutes to do, and then my techs needed to manually copy it over to the test machine, and install it. We'd ideally like something less hands-on than this.

    Can certificate services web enrollment work for machine certificates? Right now the self-service portal that my predecessor created only offers user certificates.

    Monday, September 23, 2019 4:12 PM
  • Hi,
    About automatically certificates key-based renewal, we can refer to the article (the same document as you mentioned in the original post).

    Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
    https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

    I think it also applies to 2016. 





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 24, 2019 8:08 AM
    Moderator
  • Can certificate services web enrollment work for machine certificates? Right now the self-service portal that my predecessor created only offers user certificates.

    Kind of.... The requesting user must be a member of the local Administrators group on the target system and must manually provide the subject/SAN names for the certificate. A custom certificate based on "Workstation Authentication" would be required and must user CSP to be available through the /certsrv portal.

    Brian

    Tuesday, September 24, 2019 4:12 PM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 26, 2019 2:45 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 30, 2019 10:04 AM
    Moderator