iOS II: Assign Certificates to Active Directory User Objects
Assign Certificates to Active Directory Object
Prerequisites
- Supported Server Operating Systems
- Certificate Authority is installed on Windows Server 2008 R2
- Certificate Authority is installed on Windows Server 2012
- Certificate Authority is installed on Windows Server 2016
- Certification Authority Server needs the following configured roles
- Certification Authority
- Certification Authority Web Enrollment
- Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site)
- Certification Authority and Silverback Server are joined to the same Active Directory Domain
- When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
- Service Account for publishing certificates into Active Directory User Object
- Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group. Please refer to Installation Guide I: System Requirements
- An enrolled iOS device
Scope
- Assigning Certificates to Active Directory Objects is supported for Wi-Fi Certificates
- You may have already performed some parts during the Android II: Assign Certificates to Active Directory User Objects
- Please ensure that you don't repeat these steps and maybe you need to start with the Wireless Local Area Network section
- For all Cloud Customers: Import Certificate to Local Computer needs to be done by Matrix42. Please get in touch with our support
Certificate Authority
Create Enrollment Agent Certificate Template
- Log into your Certification Authority server
- Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click Enrollment Agent in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback Enrollment Agent
- Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
- Now navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Include symmetric algorithms allowed by the subject: Enabled
- Allow private key to be exported: Enabled
- Select Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Ensure the following values are configured:
- Built from this Active Directory information: Enabled
- Subject Name is set to Fully distinguished name
- User principal name (UPN): Enabled
Security
- Navigate to Security
- Click Add
- Enter in the "Enter the object names to select " the service account you want to use
- Click Check Names
- Select the service account that you want to use
- Click OK
- Allow Read and Enroll Permissions
- Click OK to finish Template Configuration
Create User Certificate Template
- Right Click User Certificate in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003
- Click OK
- Enter as Template Display Name: Corporate User
- Enter as Template name: CorporateUser
- Ensure that Publish certificate in Active Directory is enabled
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
- Purpose: Signature and encryption
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
- Enable This number of authorized signatures and keep default value 1
- Change Application policy to Certificate Request Agent
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encryption File System
- Click Remove
- Click OK
- Click OK to finish Template Configuration
- Close Certificate Templates Console window
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback Enrollment Agent
- Click OK
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Corporate User
- Click OK
Create Enrollment Agent Certificate Request
- Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
- Open Internet Explorer
- Enter URL for the Certification Authority Web Enrollment web site
- Click Continue to this website
- Login with your Service Account
If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account
- Click Request a certificate
- Click advanced certificate request
- Click Create and submit a request to this CA
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- You will be redirected directly Submit a Certificate Request or Renewal Request Action
- Open Compatibility View Settings on Internet Explorer
- Click Add to add your domain (e.g. imagoverum.com) and Close the Window
- Navigate back to Request a certificate step and try again (maybe refresh your browser)
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm
- If you don't see this and your CSP keeps loading, open Internet options
- Navigate to Security
- Select Trusted Sites
- Click Sites
- Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
- Click Close
- Click OK
- Refresh this page, you should see now the pop-op
- Click Yes
- Change Certificate Template to Silverback Enrollment Agent
- Click Submit
- Click Yes
Install Certificate
- Click Install this certificate
- Your new certificate should be successfully installed
Export Certificate from Current User
- Right click Windows Icon in taskbar
- Click Run
- Enter certmgr.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Right Click the installed certificate
- Click All Tasks
- Click Export
- Click Next
- Click Yes, export the private key
- Click Next
- Uncheck Include all certificates in the certification path if possible
- Click Next
- Enable Password
- Enter a Password
- Confirm Password
- Click Next
- Click Browse
- Choose your location and save it as a *.pfx file
- Click Next
- Click Finish
- Click OK
Import Certificate to Local Computer
- Login to your Silverback or Cloud Connector server as a Domain Administrator
- Right click Windows Icon in taskbar
- Click Run
- Enter certlm.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Perform a right click in the right pane
- Select All Tasks
- Select Import
- Click Next
- Click Browse
- Select your *.pfx file
Change Search to All Files (*.*)
- Click Open
- Click Next
- Enter your created password
- Enable Mark this key as exportable
- Click Next
- Ensure that Personal is selected
- Click Next
- Click Finish
- Click OK
Add Permission
- Right click the new imported enrollment agent certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Enter network
- Click Check Names
- Select Network Service
- Click OK
- Click OK
- Ensure that only Read is allowed
- Uncheck Full control
- Click Apply
- Click OK
Silverback
Add Certification Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- Click Save
- Confirm with OK
From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate
Restart IIS
- Run PowerShell with elevated priviledges
- Run the following command:
- restart-service w3svc,silv*,epic*,mat*
Change User
- Logout as Settings Administrator
- Login as Administrator
Wireless Local Area Network
Create Wireless Local Area Network Tag
- Login as an Administrator
- Create a Tag
- Navigate to Tags
- Click New Tag
- Enter as Name e.g. iOS WiFi Corporate
- Enter as Description e.g. WiFi with Certificate Based Authentication (optional)
- Enable Profile
- Enable iPhone and/or iPad
- Click Save
Create Wireless Local Area Network Profile
- Navigate to Profile
- Navigate to Wi-Fi
- Click New WiFi profile
- Click Enabled
- Enter your SSID e.g. Imagoverum WiFi
- Select Security Type WPA 2 Enterprise
- Navigate to Authentication
- Enable Use Individual Username (optional)
- Enable Use Individual Client Certificates
- Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
- Enable Populate into Active Directory
- Enter a Certificate Template Name CorporateUser
- Enter as Requester Name LDAP Attribute: SamAccountName (Use SamAccountName, nothing else!)
- Select as Agent Certificate your previously created Enrollment Agent Certificate
- Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. d17843663fbaa87f49c4e97cd860867efc2c20b6
- Click Save
- Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to Devices
Check Device
- On your device open Settings
- Open General
- Navigate to Profiles & Device Management
- Open Silverback MDM Profile
- Click More Details
- Under WiFi Network you should see now an entry with your SSID
- Under Certificates you should see now 2 Certificates
- u_username
- u_firstname.lastname_WiFi
Check Certification Authority
- Navigate back to your Certificate Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issue certificate to firstname.lastame with the Corporate User Template
- Navigate to your Active Directory
- Open Active Directory User and Groups
- Click View
- Click Advanced Features
- Navigate to your User
- Double Click your User
- Navigate to Attribute Editor
- Scroll down to userCertificate
- The issued certificate should be listed in Binary Format
Next Steps
- Learn how to Create Computer Objects and assign Certificates
- Check our Apple Deployment Program Integration
- Check our Android Enterprise Integration
- Check our Certification Authority Integration for Android
- Check our Certificate Authority Integration for Windows 10