Join Log in
Score:0
Daniel avatar Server

Target specific Enterprise CA for auto-enrollment?

in flag
Daniel

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.

CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth.

CA2 is responsible for issuing certificates to servers and has a template Server Auth.

Auto-Enrollment is enabled on all Workstations and servers in our domain and working.

Problem:

Workstations should only target CA1 for auto-enrollment
and servers should only target CA2 for auto-enrollment.

I want to achieve this using group policies.

I know that I can allow auto-enrollment on a template only for members of security groups, and that would work.

However, I prefer a solution using group policies, because we organise workstations and servers in different OUs. I can target both groups with group policies on OUs. The security group solution would require us to manage two new security groups on top of that.

Is it possible to configure a workstation or server to only auto-enroll from a particular Enterprise CA? I'm open to alternatives, if they can be achieved using group policies.

30
0 + 0
pki
Score:1
avatar Server
cn flag
Crypt32

I'm open to alternatives, if they can be achieved using group policies.

I think you went in wrong direction. The solution is chosen based on a problem, not opposite. Your requirement (GPO only) isn't justified by a problem.

Let's focus on a problem:

  • Workstations should only target CA1 for auto-enrollment
  • and servers should only target CA2 for auto-enrollment

this task is solved by permissions. Put workstations in a security group (let's say "Workstations") and grant Read, Enroll and Autoenroll permissions to "Workstation Authentication" certificate template. Assign this template only to CA1.

Put servers in a security group (let's say "Servers") and grant Read, Enroll and Autoenroll permissions to "Server Authentication" certificate template. Assign this template only to CA2.

Single autoenrollment GPO can be applied to top-level OU or even at domain level. It is a good practice to have autoenrollment GPO applied at domain level and exact autoenrollment settings (who and what templates can use for autoenrollment) are controlled by certificate template permissions and template assignment to corresponding CAs.

0 + 0
Daniel avatar
in flag
Daniel
Thanks for your reply. Is it possible to tell a client what ADCS server to target for auto-enrollment? I agree, that using security groups if preferrable but I disagree with your assessment, that my approach is bad practice. Security groups do impose additional work in our current environment. It is normal practice to deploy policies based on OU, my approach falls in line with that.
0
Reply
cn flag
Crypt32
`Is it possible to tell a client what ADCS server to target for auto-enrollment?` -- no. I've outlined how it should be done according to best practices. `It is normal practice to deploy policies based on OU` -- not for autoenrollment due to its specifics.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.