Skip to main content
Matrix42 Self-Service Help Center

iOS II: Assign Certificates to Active Directory User Objects

Assign Certificates to Active Directory Object

Prerequisites

  • Supported Server Operating Systems
    • Certificate Authority is installed on Windows Server 2008 R2
    • Certificate Authority is installed on Windows Server 2012
    • Certificate Authority is installed on Windows Server 2016 
  • Certification Authority Server needs the following configured roles
    • Certification Authority
    • Certification Authority Web Enrollment 
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Service Account for publishing certificates  into Active Directory User Object 
  • Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group. Please refer to Installation Guide I: System Requirements
  • An enrolled iOS device

Scope 

Certificate Authority

Create Enrollment Agent Certificate Template 

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click Enrollment Agent in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback Enrollment Agent
  • Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
  • Now navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Proceed with Yes at prompt for wish to change the certificate purpose
    • Include symmetric algorithms allowed by the subject: Enabled
    • Allow private key to be exported: Enabled
    • Select Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Ensure the following values are configured:
    • Built from this Active Directory information: Enabled
    • Subject Name is set to Fully distinguished name
    • User principal name (UPN): Enabled
Security
  • Navigate to Security
  • Click Add
  • Enter in the "Enter the object names to select " the service account you want to use
  • Click Check Names
  • Select the service account that you want to use 
  • Click OK
  • Allow Read and Enroll Permissions
  • Click OK to finish Template Configuration

Create User Certificate Template

  • Right Click User Certificate in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003
    • Click OK
  • Enter as Template Display Name: Corporate User
  • Enter as Template name: CorporateUser
  • Ensure that Publish certificate in Active Directory is enabled
Request Handling 
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
      • Proceed with Yes at prompt for wish to change the certificate purpose
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name 
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements 
  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Security 
  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
Extensions
  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encryption File System
  • Click Remove
  • Click OK
  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates 

  • Navigate to Certification Authority window
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Enrollment Agent
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Corporate User
  • Click OK

Create Enrollment Agent Certificate Request

  • Login to your Silverback server as a Local Administrator (not Active Directory Domain Account)
  • Open Internet Explorer
  • Enter URL for the Certification Authority Web Enrollment web site 
  • Click Continue to this website
  • Login with your Service Account 

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

  • Click Request a certificate
  • Click advanced certificate request
  • Click Create and submit a request to this CA
    • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
      • You will be redirected directly Submit a Certificate Request or Renewal Request Action
      • Open Compatibility View Settings on Internet Explorer
      • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
      • Navigate back to Request a certificate step and try again (maybe refresh your browser)
  • After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
    • If you don't see this and your CSP keeps loading,  open Internet options
    • Navigate to Security
    • Select Trusted Sites
    • Click Sites
    • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
    • Click Close
    • Click OK
    • Refresh this page, you should see now the pop-op
  • Click Yes
  • Change Certificate Template to Silverback Enrollment Agent
  • Click Submit
  • Click Yes

Install Certificate

  • Click Install this certificate
  • Your new certificate should be successfully installed

Export Certificate from Current User

  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certmgr.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
    • Right Click the installed certificate
    • Click All Tasks
    • Click Export
    • Click Next
    • Click Yes, export the private key
    • Click Next
    • Uncheck Include all certificates in the certification path if possible
    • Click Next
    • Enable Password
      • Enter a Password
      • Confirm Password
    • Click Next
    • Click Browse
    • Choose your location and save it as a *.pfx file
    • Click Next
    • Click Finish
    • Click OK

Import Certificate to Local Computer

  • Login to your Silverback server as a Domain Administrator
  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certlm.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
  • Perform a right click in the right pane
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your *.pfx file

Change Search to All Files (*.*)

  • Click Open
  • Click Next
  • Enter your created password
  • Enable Mark this key as exportable
  • Click Next
  • Ensure that Personal is selected
  • Click Next
  • Click Finish
  • Click OK

Add Permission

  • Right click the new imported enrollment agent certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Enter network
  • Click Check Names
  • Select Network Service
  • Click OK
  • Click OK
  • Ensure that only Read is allowed
    • Uncheck Full control
  • Click Apply
  • Click OK

Silverback

Add Certificate Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA
  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Wireless Local Area Network

Create Wireless Local Area Network Tag

  • Login as an Administrator
  • Create a Tag
    • Navigate to Tags
    • Click New Tag
    • Enter as Name e.g. iOS WiFi Corporate
    • Enter as Description e.g. WiFi with Certificate Based Authentication (optional)
    • Enable Profile
    • Enable iPhone and/or iPad
    • Click Save

Create Wireless Local Area Network Profile

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New WiFi profile
    • Click Enabled
    • Enter your SSID e.g. Imagoverum WiFi
    • Select Security Type WPA 2 Enterprise
    • Navigate to Authentication
    • Enable Use Individual Username (optional)
    • Enable Use Individual Client Certificates
    • Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
    • Enable Populate into Active Directory
    • Enter a Certificate Template Name CorporateUser
    • Enter as Requester Name LDAP Attribute: SamAccountName (Use SamAccountName, nothing else!)
    • Select as Agent Certificate your previously created Enrollment Agent Certificate 
    • Click Save
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to Devices

Check Device

  • On your device open Settings
    • Open General
    • Navigate to Profiles &  Device Management
    • Open Silverback MDM Profile
    • Click More Details
    • Under WiFi Network you should see now an entry with your SSID
    • Under Certificates you should see now 2 Certificates
    • u_username
    • u_firstname.lastname_WiFi

Check Certification Authority

  • Navigate back to your Certificate Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issue certificate to firstname.lastame with the Corporate User Template
  • Navigate to your Active Directory
    • Open Active Directory User and Groups
    • Click View
    • Click Advanced Features
    • Navigate to your User
    • Double Click your User
    • Navigate to Attribute Editor
    • Scroll down to userCertificate
    • The issued certificate should be listed in Binary Format
  • Was this article helpful?