AD CS Connector Experience, Tips, and Lessons Learned

KMerendaTFMC
New Contributor III

The AD CS connector was released a few weeks ago, and I found setting it up to by quite tricky - at least it was for my environment. I want to share my experience in hope it will help others.

AD CS Connector requires Windows Server 2016.
The PowerShell script that performs the installation uses functions that don't exist in earlier editions of the server OS, so don't try to hack the script to make it work on older OS's.

AD CS When you're behind an F5 or similar
My company uses an F5 BIG-IP load balancer to publish internal servers like the AD CS connector to the internet. As standard practice, the public DNS name for the AD CS connector points to the F5, and the F5 NAT's the traffic on to the AD CS connector. The F5 is configured with a wildcard certificate (*.yourdomain.com) from a trusted certificate authority, allowing all sites behind the F5 to be encrypted by this one certificate (and allowing the F5 to inspect all traffic). The AD CS connector uses client certificate to authenticate the Jamf Pro cloud server (meaning, the Jamf Pro cloud server has to present its own identity certificate before it is allowed to access the AD CS connector). If you allow the F5 to play man-in-the-middle, it will block the AD CS Connector from successfully negotiating the connection with the Jamf Pro cloud server. (IIS logs on AD CS connector will display 403 error, unauthorized). To resolve, you need to have the F5 allow traffic from Jamf Pro cloud server to directly hit the AD CS connector, and allow the AD CS connector to present its own HTTPS certificate (self-signed one generated during install) rather than presenting the F5 wildcard certificate.

Permissions
The AD CS connector makes requests to your certificate issuing server using the system account of the AD CS connector host server, rather than using a service account. I'm sure there is a way to make this work, but I could not get it. I had to create a domain service account and change the identity of the ADCSProxy application pool on the AD Cs Connector so that it used that service account. I also added the service account to the IIS users group on the AD CS Connector host server. After making those changes, restarted the site and app pool.

Template Permissions
After setting up the service account, I gave it "Read" and "Enroll" permissions on the AD CS Template. I had tried giving these same permissions to the system account for the AD CS Connector host server, but it didn't work. Using a service account worked.

Certificate Format
If you're using EAP-TLS authentication, you must have the user's UserPrincipalName (UPN) in the subject or SAN property of the certificate. The Jamf certificate payload does not give you the option to specify UPN in the SAN property, so you need to set it in the certificate subject. Subject example: CN=user@domain.com

Bug?
Here is where I hit what I believe to be a bug. I added a device extension attribute to be the LDAP property userPrincipalName. The device inventory would properly display the extension attribute as user@domain.com, but when I used $EXTENSIONATTRIBUTE_# variable in the certificate subject (CN=$EXTENSIONATTRIBUTE_#) I found that Jamf would convert "@" to be "@" so that a UPN of "me@domain.com" becomes "me@domain.com" in the certificate subject. Since "me@domain.com" is not a valid UPN, the RADIUS server could not locate the user and thus did not allow the wi-fi connection. I had to work around this bug (which has been reported to Jamf) by hard-coding the certificate payload to use a service account UPN as the subject (CN=serviceaccount@domain.com). This will cause every certificate to have the same subject, which is not ideal, but at least it works.

Hope this helps someone.

39 REPLIES 39

KyleEricson
Valued Contributor II

I made a guide on how to set this up located Here

Read My Blog: https://www.ericsontech.com

KMerendaTFMC
New Contributor III

Update on the bug:
It turns out, the "@" is only transposed to text when it is used as the value of an extension attribute. I was able to map UserPrincipalName to the $ROOM variable using LDAP user mapping, and then it passed the @ correctly.

KMerendaTFMC
New Contributor III

Update #2 on the bug:
Jamf team confirmed it is a bug and has documented for the product team as PI-006195.

jimderlatka
Contributor

you posted omain service account and change the identity of the ADCSProxy application pool on the AD Cs Connector so that it used that service account.

where did you change to user the service account... I cant seem to find where to change it

KMerendaTFMC
New Contributor III

@jimderlatka 1. Open IIS Manager
2. Expand the Connections column to review Applicaton Pools
3. Right-click AdcsProxyPool and select Advanced Settings
4. In the Process Model group, change Identity to be your service account
5. Save and close IIS manager
6. Open Computer Management
7. Navigate to Local Users and Groups Groups
8. Open "IIS_USRS" group
9. Add your service account as a member
10. Save and close
11. Restart site and app pool.

prbsparx
Contributor II

@KMerendaTFMC do you know how much storage space the AD CS Connector takes total?

KMerendaTFMC
New Contributor III

@prbsparx My entire host server C: drive is consuming 24 GB. including OS, IIS, and ADCS. The website for ADCS is 24 MB

prbsparx
Contributor II

awesome, thanks!

prbsparx
Contributor II

The jamfProDn isn't very clear on what hostname this should be... Does this need to be:
1. the client-facing hostname?
2. the master server's actual hostname (the one the IP resolves to)?
3. The child's actual hostname (the one the IP resolves to)?

maiksanftenberg
Contributor II

We have now run through the first couple of tests with ADCS.

One thing that is missing in ADCS is that you are not able to revoke any certificates at all (manually via JSS or automatically once the profile get remove or so). Also we had struggle with CRL (Certificate Revocation List) as our Access Controllers do check for such.

Something that might need to considered in any future development for ADCS.

KMerendaTFMC
New Contributor III

@prbsparx I'm using a hosted instance of Jamf, so my JamfProDN was company.jamfcloud.com. I assume it should be the name of the JSS that is resolvable by the ADCS proxy.

JPWheatley
New Contributor II

Hello

looking at imlimenting the ADCS connector. But the big concern is allowing 443 inbound with out using a reverse proxy. How did you convince your secuirty department to allow this?

Also whats the alternitive to using the ADCS if it doesn't work with a reverse proxy. Will SCEP work with a reverse proxy? I'm aware Jamf acts as a scep proxy, but that would still require 443 to the internal CA. So could the 443 connection from Jamf to the CA go through a reverse proxy?

Or am i going about this all wrong?

KMerendaTFMC
New Contributor III

@JPWheatley I'm using it behind an F5 BIG-IP as a reverse proxy. You'll need to make sure the F5 does not try to inspect the SSL traffic by presenting its own certificate instead of the one created during the AD CS connector install.

Essentially, if you visit https://your.adcsconnector.com/adcsproxy from a laptop on an external network, you should get an invalid certificate warning from your web browser. If you tell it to trust that certificate then reload the page, the website should ask you to provide your identity certificate. If that is happening, everything is working properly.

If, however, you go to https://your.adcsconnector.com/adcsproxy and get HTTP 403 error, its likely that the reverse proxy intercepted the traffic and presented its own SSL certificate rather than the one used on the AD CS connector. This interferes with the auth process and will make it impossible for Jamf to authenticate to your connector.

prbsparx
Contributor II

@KMerendaTFMC @JPWheatley My company requires SSL inspection and we figure out how to do it... I'm gonna post as much as I can in the near future about how to do this. We're using F5 as well.

jameson
Contributor II

For us we seems to get the error - no clue what that means. Have made a service account for both IIS pool and on CA template

Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: CR_DISP_DENIED: Request denied

I can get a certicate request if going to https://ouradcs and accepting the trust of certificate and I am presented a certificate. So seems to work outside jamf

jameson
Contributor II

@KMerendaTFMC I have got the ADCS working for Computer certificates. Now when I use the exact same template and in the configuration payload in the subject field write CN=$USERNAME@domain.com it does only add an certificate named "@domain.com" - so it does not include username. Can you give any input why this happen?

prbsparx
Contributor II

@jameson look at "certificate requests" in the AD CS, it'll tell you the reason for why the request failed. Most likely the server or user account isn't allowed to request that template or you passed an invalid value.

jameson
Contributor II

Is there any difference in setup when using Local account, as we don´t use any ldap - so we want local account users to get the certificate

Anyone tried this ?

patgmac
Contributor III

@jameson Account type does not matter. These are device certs.

jameson
Contributor II

Ok I see. Is SAN supported or only Subject ?

patgmac
Contributor III

hdsreid
Contributor III

anyone ever try this with a Microsoft app proxy?

how are you getting a dmz server to communicate with an internal domain CA? I can't get this or scep working with my cloud configuration, very frustrating right now

ooshnoo
Valued Contributor

@prbsparx

Where is the "certificate requests" that you mentioned above so we can see why its failing?

MacKobus
New Contributor II

Glad to hear I'm not the only one with issues. I'm getting an "Unable to retrieve ADCS certificate for profile payload". If I try to manually download and install the profile it gives a "Could not open profile." error. Any ideas?

I'm wondering if there are any log files I can check to see if things are working throughout the different steps in the process to try to zero in on where things are getting hung up?

nicole_qu
New Contributor II

@KMerendaTFMC We are getting http 403 error when access the https://jamfconnector/adcsproxy, how to fix it?

bmcintire2
New Contributor II

@KMerendaTFMC

@jimderlatka 1. Open IIS Manager 2. Expand the Connections column to review Applicaton Pools 3. Right-click AdcsProxyPool and select Advanced Settings 4. In the Process Model group, change Identity to be your service account 5. Save and close IIS manager 6. Open Computer Management 7. Navigate to Local Users and Groups Groups 8. Open "IIS_USRS" group 9. Add your service account as a member 10. Save and close 11. Restart site and app pool.

I think this is where we are stuck. We can't get the box to issue so we are using a service account. When we make this change, though, in the logs it still shows as AdcsProxyAccessUser trying to do the work. It shows in the identity as /domain/user and confirmed pw when setting up. Also in IIS_IUSRS group.

2019-11-08 13:31:38 1.2.3.4 POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 5.6.7.8 Java-SDK - 200 0 0 42122

Anyone have any idea? This is the last step for us and have been spinning our wheels. Have a ticket open and they can't pin it down either.

kburns
New Contributor III

Hey Jamf Nation. Anyone ever set up the Jamf AD CS Connector and use an Azure App Gateway to proxy the traffic from a public URL to the AD CS Connector server hostname (also in azure)? This was not the way I wanted to do this, but this was security's recommendation. Using Jamf Cloud for this, by the way.

Jamf Cloud > Azure App Gateway > AD CS Connector (in Azure) "bound" to on-prem AD > MS AD CS Server on-prem.

I had this working in testing when I had it set up using the AD CS Connector in Azure + an on-prem Jamf Pro server. Moving to cloud has thrown a giant wrench into it.

Edit: I have this figured out now. If anyone needs help with this type of set up, I'll be happy to offer guidance.

Mithrandir
New Contributor III

Hi! Our setup might be a little different, but here goes: we're behind an F5 Big-IP, have Jamf cloud, have setup the ADCS server/connector. Our security/web team did in fact create a public-facing host that's supposed to proxy all the traffic cloud <----> ADCS server.

We're getting certs; in fact, we had Jamf support look at our config, and they couldn't find any discrepancies. The issue I've discovered via testing/troubleshooting is simply that while the certs are being, user/hostnames are recognized therein (along with the issuing CA) these certs are nevertheless not recognized by our VPN service; however, again via testing, I've found that by binding a Mac to our AD, and setting up a profile to deliver AD certs (rather than just certs as defined in the ADCS documentation) that these are in fact recognized for auth purposes.

It's very, very bizarre. And as I said Jamf tech support can't seem to find any issues.

Any details on your working config would be greatly, greatly appreciated. Thanks!

Hello, could you please help us with the steps needed to have the jamf pro cloud talk to AD CS connector box with Azure gateway in between, I stuck with what certs that are needed on the AD CS box and the Azure gateway.

Not applicable

@kburns Would definitely like to hear more about your ADCS Azure solution.

samuelbaiden
New Contributor III
New Contributor III

<@kburns > I would really like to know more about your findings, is it possible to share your knowledge?

walt
Contributor III

@kburns would you please share those details with me as well.

@prbsparx @KMerendaTFMC do you have any sanitized documentation that lays out your configuration? specifically data flow from Jamf Cloud to your load balancer and from their to your ADCS Connector? did you have to do any DNS modifications at the load balancer or in the DMZ?

deanc
New Contributor

@kburns would you please share your setup guidance? I see other people had asked for it, but don't see where I could find your guidance. Thanks.

MacKobus
New Contributor II

@kburns would you please share your setup guidance/documentation? we're looking to set up the Azure Proxy as well and this would be super helpful!

ctien
New Contributor

@kburns I would love to see the setup guidance on this for sure as well. We are doing something similar but stuck as well.

Kapil
New Contributor III

@kburns
Can you please help me out with Jamf Cloud > Azure App Gateway > AD CS Connector ?

Kapil
New Contributor III

@kburns
Can you please help me out with Jamf Cloud > Azure App Gateway > AD CS Connector ?

Kapil
New Contributor III

@kburns
Can you please help me out with Jamf Cloud > Azure App Gateway > AD CS Connector ?

Mithrandir
New Contributor III

Yeah, @kburns, can you stop work on your latest PBS documentary to give us all the skinny on how you got this working, please?