We've been migrating to a Radius-based network authentication, with device certificates as the authenticating method. iOS and Android we managed through our MDM solution with SCEP/NDES, Windows devices (bound to the domain) get certificates via Group Policy, and we were looking at Casper and OSX Configuration Profiles for our Mac systems. After a long session of trial, error and debugging, I wanted to share the lessons learned, in case any of you run up against this setup.
Prerequisite steps to issue an AD Certificate
On the JSS, navigate to the Configuration Profiles for OS X 10.7 or later
The AD certificate profile can be added to an existing profile, or configured independently, but I like to keep this stuff separate during deployment, to ensure I don't break other policies while extending our management service.
These steps assume you have configured an Active Directory Certificate Server, and your Mac clients are bound to the Active Directory domain that Cert Server exists in. Use the AD Certificate profile option to configure this. Instructions in the manual are good, but some details that aren't included, that can leave you stumped are outlined below.
- The Certificate Server address is just the FQDN of the certificate server (server.corp.root)
- The Certificate authority is the CA name (CN=<your CA name>,CN=Certification Authorities, CN=Public Key Services, CN=Services,CN=Configuration, <your base DN>)
- The Certificate Template must be the actual template name (not the display
name), which cannot contain spaces in the name. Dashes are OK, but there is an issue either with Casper or Apple having spaces in the template name. This is really important if you are creating custom templates, or want to re-use the templates made for 10.6.x certificate deployment.
- I am unsure if the username and password to authenticate to the CA server was required, I did not remove it to test but used an account that has access to view the CertSrv pages (server.corp.root/certsrv/)
All of that setup is pretty straightforward, only a couple of details that seemed to be less that crystal clear to me. The back end was where our challenges existed.
On the CA, the template must be configured to allow the group containing all domain computers (domaindomain.computers) to enroll for certificates (this is a 2008 AD Certificate Server). This was the gotcha on our end - the account that authenticates to the server is not the account that requests the certificate - when using the AD Certificate Request Profile, the machine itself directly requests the certificate. It took reviewing the exact failed certificate requests closely to realize that the requesting account (to enroll the device in the CA) was the computer itself. If you don't set up domain.computers to request certificates from this template, the request will fail because the computer does not have rights to request a certificate by default.
The Apple CA request article is a good reference as well http://support.apple.com/kb/HT5357
