none
Forcing certificates to users that haven't logged directly into AD? RRS feed

  • Question

  • So we've got our CA setup, an offline root CA and online Sub CA, and everything is set up to autoenroll user certificates to users in the domain.

    In testing, it appears as though to actually get a user cert issued, I had to RDP into one of the servers in AD, and only then was the certificate issued (although it did in fact get issued automatically as desired).

    My question is this, most folks don't log into the domain directly "yet", other than folks that use DFS for file sharing - most of the users have Linux and/or Macs, and they are non-domain joined for the moment.  But all users will be logging into OWA or Exchange (2016 hosted on premises) via mail client.  

    Is there some way to autoenroll user certs without having them RDP into a domain joined machine? Or is this how it's supposed to work by design?  

    I can't seem to find an official document telling me exactly when and what action needs to happen before a user is autoenrolled a certificate, obviously it would be great if I could force autoenroll a certificate for every user without them having to do anything, or just logging into their Exchange account would be sufficient to issue the cert (using AD credentials obviously) but not sure this is possible.


    • Edited by zfrawg Wednesday, June 28, 2017 3:18 AM
    Wednesday, June 28, 2017 3:16 AM

All replies

  • As far as I know you need to login to a system. I assume that you used Certificate Enrolment using Group Policy? (e.g. https://technet.microsoft.com/en-us/library/cc731522(v=ws.11).aspx)

    It will require a login that processes GPO (e.g. logging on to a system) in order to issue the certificate. 

    There may be a way to script it? Perhaps using certreq? (https://technet.microsoft.com/en-gb/library/dn296456.aspx)



    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 28, 2017 3:43 AM
  • As far as I know you need to login to a system. I assume that you used Certificate Enrolment using Group Policy? (e.g. https://technet.microsoft.com/en-us/library/cc731522(v=ws.11).aspx)

    It will require a login that processes GPO (e.g. logging on to a system) in order to issue the certificate. 

    There may be a way to script it? Perhaps using certreq? (https://technet.microsoft.com/en-gb/library/dn296456.aspx)



    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thanks for the info, yes it's being pushed via GPO.

    I'll look into scripting.

    Thursday, June 29, 2017 3:49 PM
  • You generally need the user to log in for this to work. The user/computer has to create the cryptographic key that is used in the certificate. If they aren't logging into the network, that generation isn't going to occur. Why do you need certificates generated if your users aren't logging in? They wont be able to use the key/certificate until they do. So why do you need it generated before they can even use it? Once they begin logging in, the key will be generated and the certificate enrolled.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Thursday, June 29, 2017 4:29 PM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 7, 2017 5:19 AM
    Moderator