AD CS Connector Experience, Tips, and Lessons Learned

I made a guide on how to set this up located Here

Update on the bug:
It turns out, the "@" is only transposed to text when it is used as the value of an extension attribute. I was able to map UserPrincipalName to the $ROOM variable using LDAP user mapping, and then it passed the @ correctly.

Update #2 on the bug:
Jamf team confirmed it is a bug and has documented for the product team as PI-006195.

you posted omain service account and change the identity of the ADCSProxy application pool on the AD Cs Connector so that it used that service account.

where did you change to user the service account... I cant seem to find where to change it

@jimderlatka 1. Open IIS Manager
2. Expand the Connections column to review Applicaton Pools
3. Right-click AdcsProxyPool and select Advanced Settings
4. In the Process Model group, change Identity to be your service account
5. Save and close IIS manager
6. Open Computer Management
7. Navigate to Local Users and Groups Groups
8. Open "IIS_USRS" group
9. Add your service account as a member
10. Save and close
11. Restart site and app pool.

@KMerendaTFMC do you know how much storage space the AD CS Connector takes total?

@prbsparx My entire host server C: drive is consuming 24 GB. including OS, IIS, and ADCS. The website for ADCS is 24 MB

awesome, thanks!

The jamfProDn isn't very clear on what hostname this should be... Does this need to be:
1. the client-facing hostname?
2. the master server's actual hostname (the one the IP resolves to)?
3. The child's actual hostname (the one the IP resolves to)?

We have now run through the first couple of tests with ADCS.

One thing that is missing in ADCS is that you are not able to revoke any certificates at all (manually via JSS or automatically once the profile get remove or so). Also we had struggle with CRL (Certificate Revocation List) as our Access Controllers do check for such.

Something that might need to considered in any future development for ADCS.

@prbsparx I'm using a hosted instance of Jamf, so my JamfProDN was company.jamfcloud.com. I assume it should be the name of the JSS that is resolvable by the ADCS proxy.

Hello

looking at imlimenting the ADCS connector. But the big concern is allowing 443 inbound with out using a reverse proxy. How did you convince your secuirty department to allow this?

Also whats the alternitive to using the ADCS if it doesn't work with a reverse proxy. Will SCEP work with a reverse proxy? I'm aware Jamf acts as a scep proxy, but that would still require 443 to the internal CA. So could the 443 connection from Jamf to the CA go through a reverse proxy?

Or am i going about this all wrong?

@JPWheatley I'm using it behind an F5 BIG-IP as a reverse proxy. You'll need to make sure the F5 does not try to inspect the SSL traffic by presenting its own certificate instead of the one created during the AD CS connector install.

Essentially, if you visit https://your.adcsconnector.com/adcsproxy from a laptop on an external network, you should get an invalid certificate warning from your web browser. If you tell it to trust that certificate then reload the page, the website should ask you to provide your identity certificate. If that is happening, everything is working properly.

If, however, you go to https://your.adcsconnector.com/adcsproxy and get HTTP 403 error, its likely that the reverse proxy intercepted the traffic and presented its own SSL certificate rather than the one used on the AD CS connector. This interferes with the auth process and will make it impossible for Jamf to authenticate to your connector.

@KMerendaTFMC @JPWheatley My company requires SSL inspection and we figure out how to do it... I'm gonna post as much as I can in the near future about how to do this. We're using F5 as well.

For us we seems to get the error - no clue what that means. Have made a service account for both IIS pool and on CA template

Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: CR_DISP_DENIED: Request denied

I can get a certicate request if going to https://ouradcs and accepting the trust of certificate and I am presented a certificate. So seems to work outside jamf

@KMerendaTFMC I have got the ADCS working for Computer certificates. Now when I use the exact same template and in the configuration payload in the subject field write CN=$USERNAME@domain.com it does only add an certificate named "@domain.com" - so it does not include username. Can you give any input why this happen?

@jameson look at "certificate requests" in the AD CS, it'll tell you the reason for why the request failed. Most likely the server or user account isn't allowed to request that template or you passed an invalid value.

Is there any difference in setup when using Local account, as we don´t use any ldap - so we want local account users to get the certificate

Anyone tried this ?

@jameson Account type does not matter. These are device certs.

Ok I see. Is SAN supported or only Subject ?

@jameson

anyone ever try this with a Microsoft app proxy?

how are you getting a dmz server to communicate with an internal domain CA? I can't get this or scep working with my cloud configuration, very frustrating right now

@prbsparx

Where is the "certificate requests" that you mentioned above so we can see why its failing?

Glad to hear I'm not the only one with issues. I'm getting an "Unable to retrieve ADCS certificate for profile payload". If I try to manually download and install the profile it gives a "Could not open profile." error. Any ideas?

I'm wondering if there are any log files I can check to see if things are working throughout the different steps in the process to try to zero in on where things are getting hung up?

@KMerendaTFMC We are getting http 403 error when access the https://jamfconnector/adcsproxy, how to fix it?