New Contributor III
New Contributor III

Welcome to Part 2 of our discussion of Certificates, SCEP, and 802.1x. In our first post we took a look at what certificates are and how they work. Today we will take a look at Active Directory and Active Directory Certificate Services.

What is Active Directory?

  • Active Directory (AD) is a set of roles and features which run on Windows Server. In essence, it is a database and set of services that connect users with the network resources they need to get their work done.

Active Directory is often used as a broad term to describe several concepts and services. There is much, much more to AD but this isn’t a Microsoft AD course, so we’ll only cover what we need to know here.

What does Active Directory do?

  • At its core, AD helps administrators manage permissions and control access to network resources.
  • AD uses several directory objects to do so:
    • Users
    • Groups
    • Computers
    • Security Policies (Group Policy Objects)
  • Active Directory manages the security policies applied to its many moving parts. With certificates specifically, Active Directory requires that a user or group permission is correctly set for and user or service account to create, enroll, or even view certificates.

How does Active Directory fit in with certificates?

  • Active Directory can also be a major part of how admins distribute and manage certificates. Windows Servers provides multiple roles which can create or use certificates.
  • The two covered in this document are called Active Directory Certificate Services and Network Policy Server. These roles have several role services which are used to create, maintain, distribute, and use certificates :
    • Active Directory Certificate Services
      • Certification Authority (CA)
      • Network Device Enrollment Services (NDES)
        • Simple Device Enrollment Protocol (SCEP)
    • Network Policy Server (NPS)
      • RADIUS Server
  • The Certification Authority role service provides an interface to create, delete, and manage certificates. This can also allow admins to manually create certificates. Domain joined computers can also manually request a certificate from the CA.
    • Certificates are often built with a Certificate Template. These are exactly what they sound like, template which govern how a certificate is created, what kind of certificate it will be, what is on the certificate, how it can be used, who or what can use the template to create a certificate, and more.
  • Network Device Enrollment Services is also aptly named, it allows devices on the AD network to enroll, also known as request, certificates. There is also functionality to allow off-network devices to request certificates:
    • SCEP - built into NDES
    • AD CS Connector - A Jamf Provided software that works with Active Directory
  • The Network Policy Server is one of the most common Windows Server roles we will interact with as it allows administrators to use Active Directory to manage their 802.1x networks. The NPS server allows admins to create a RADIUS server to authenticate users or computers requesting to join the 802.1x network and to create security policies or requirements for those users or computers to join.

What is AD CS Connector?

  • AD CS Connector = Active Directory Certificate Services Connector

AD CS Connector started as a custom piece of software written by Jamf for a large customer. It’s now used by many customers who cannot utilize SCEP in their environment.

What does AD CS Connector do?

  • AD CS Connector is a web application which performs the role of a web proxy and allows administrators to issue certificates automatically.
  • AD CS Connector allows admins to safely connect their Active Directory environment to Jamf Pro without exposing it directly to the internet or other insecure networks.

A web proxy is a web server that accepts and sends communication on behalf of another service over the internet. This ensures critical services, like Active Directory, are not exposed to the security risk that is the internet.

How does AD CS Connector work?

  • AD CS Connector uses a Windows Server Role called Internet Information System (IIS) which acts as a web server, similar to how Tomcat acts as a web server for Jamf Pro.
  • During the installation of AD CS Connector, several things happen:
    • The IIS role is installed.
    • The AD CS Connector application is unzipped and installed at C:\inetpub\wwwroot\adcsproxy.
    • The AdcsProxy site name is created within IIS and bound to port 443.
    • The Windows Firewall is updated with a rule to allow inbound TCP traffic to port 443.
    • Application Pools are created within IIS under the AdcsProxy site.
    • An Access User is created for IIS for Client Certificate Mapping Authentication.
    • A certificate for the AdcsProxy site is created and installed in IIS.

An Application Pool is a collection of one or more URLs that can be served by a worker process, and it provides isolation: applications that run on one application pool are in no way affected by other applications that run on different application pools.

Client Certificate Mapping Authentication is a way of certificate based authentication for the IIS Access User. This service account is used to run the processes in the AD CS Connector application, the certificate is used to authenticate this account. This process helps to secure access to the AD CS Connector application.

  • AD CS Connector allows administrators to specify a certificate template which exists on a CA in the domain that the AD CS Connector host is joined with.
    • The computer account or service account used by AD CS Connector must have at least read and enroll privileges on the specified template, either directly or through group membership.
    • AD CS Connector can be used with multiple load balanced CA’s, however they must be replicated and each must contain the template specified in the configuration profile.
    • If there are multiple CA’s behind a load balancer and one does not contain the template specified in the configuration profile, the request will fail and the profile will not install.

How is AD CS Connector used?

  1. A Certificate profile is created and distributed to a computer via MDM. This profile includes information on what information the certificate should contain and how to create the Certificate Signing Request (CSR).
    1. A Certificate Signing Request is exactly what it sounds like, a request by a client to a CA to generate and sign a certificate. It contains some information that should be on the certificate and what (or whom) is requesting the certificate.
    2. The Certificate Authority which AD CS Connector connects to contains multiple Certificate Templates. A Certificate Template contains the information needed to create and sign a certificate, including whether or not that information can be supplied in the request or must be generated by the CA.
  2. During the installation of the profile, a Certificate Signing Request is sent by Jamf Pro to AD CS Connector.
    1. AD CS Connector only accepts communication from Jamf Pro that is encrypted by a Server Certificate generated during installation, likewise Jamf Pro only accepts communication from AD CS Connector that is encrypted by a Client Certificate generated during installation.
  3. AD CS Connector then passes that request to a CA on the domain which contains the Certificate Template specified in the profile.
  4. The certificate is generated and signed by the CA, then sent back through AD CS Connector to Jamf Pro, then to the computer which is in scope of the Certificate profile.

That’s all for part two! Stay tuned to learn more about some of the other technologies surrounding certificates!