Businesses are investing a lot in securing access to company resources but still achive a good and simple user experience around accessing those resources. Haven’t we all strugled to actually get access to the corporate WIFI which has been secured with certificates? Or what about strugling with changing password on all devices to get e-mail flowing again after we have changed the password on our work computer.
This can all be made easier with provisioning users with a certificate on the mobile device. With the certificates provisioned to the user on the device, we can also provision wifi-profiles, vpn-profiles and even e-mail profiles for on-prem exchange without the user needing to provide a password to connect to it.
You can also provision SCEP Certificates profiles, and this has been available for some time, but the setup and requirements for setting up with SCEP are more complex and requires a NDES server protected behind a reverse proxy (WAP or Azure Application Proxy) to be up and running in a safe matter. My colleage has written a very long and good post about this here: http://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/ and I really recommend you to read this post aswell so that you know both methods before you decide what is best for your enviroment.
I am in this post going to focus only on what is needed for setting up the distribution of the PFX Certificate profiles and the on-premise requirements for this. I am not diving into setup of the Certificate Authority itself, but are going to show every step you need to go through when starting with a working Enterprise CA – PKI Enviroment.
- Active Directory domain: All servers listed in this section needs to be joined to your AD Domain
- Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. I have been using Windows Server 2016 Tech Preview 4 in my lab enviroment.
- Computer that can communicate with Certification Authority
- Microsoft Intune Certificate Connector: You use the Intune admin console to download the Certificate Connector installer (ndesconnectorssetup.exe). Then you can run ndesconnectorssetup.exe on the computer that communicates with the Certification Authority.
Step 1: Deploy your Root Certification Authority Certificate from your Enterprise CA
To be able to use certificates on the devices for E-Mail, VPN or WiFi you need to do two things. First you have to install a root certificate (or intermediate CA certificate) on each device so that the device can recognize the validity for your CA. Yo do this by exporting the root certificate from you Enterprise CA, import it in Intune and then provision this to devices by deploying a Trusted Certificate Profile. The Trusted Certificate Profile is available for devices running iOS 7.1 and later, Mac OS X 10.9 and later, Android 4.0 and later, and Windows Phone 8.1 and later. You have to create a separate profile for each platform.
- Export your Root Certification Authority Certificate from your Enterprise CA.
- Log into the Root Certification Authority server with Administrator Account
- Open an Administrative CMD Prompt
- To export the Root Certification Authority server to a new file name “ca_name.cer” type “certutil -ca.cert ca_name.cer“.
- Create and Deploy the Trusted Root Certificate Profile to all plattform you need
- Log on to Intune Console and create a new Configuration Policy
- Choose plattform and Trusted Certificate Profile
- Give the policy a name and Import the .cer file from your export.
- Deplot the Certificate to your group of users that would use certificate authentication
Step 2: Configure Rights and Certificate Templates on the certification authority
The easies and quickest way to create a Certificate Template for use with Intune is to make a copy of the standard User template on your Enterprise CA. There is some important changes you need to make though to make this work. But let us start with opening the CA console and duplicate the BuiltIn User Certificate Template.
- Right click on the Certificate Templates and click on Manage
- Locate the User Certifcate Temaplate, right click and choose Duplicate Template.
- This will bring you into the new duplicated template that we need to configure to meet our needs.
- On the Compatibility tab choose at least Windows Server 2008 R2 on the Certificate Authority option.
- On the General Tab choose your display name and note that on the actual template name it will be the same name but without any spaces. We will need the actual template name later on.
- On the Request Handling tab, you need to allow the private key to be exported. That is in the nature of a PFX file, it includes both the public and the private key in the same file and you need to allow this for this to work.
- On the Cryptografy tab make sure your key size is set to Minimum 2048.
- On the Subject Name tab, we must choose Supply in the request. Ignore the security warning around this as the Intune Certificate Connector will manage the security around this within the Certifacate Connector’s Policy Module.
- In the Extensions tab we need to make sure the Client Authentication is included as a Application Policy.
- And under key usage it is important, for this to work with iOS, that “Signature is proof of origion” is unchecked.
- And finaly under Security we need to add the Computer Account of the server running the Certificate Connector to be added with permissions to Read and Enroll certificates with this template. Click OK when you are done.
We have now created the template itself that we will use for the Certificate Profile within Intune. We just need to make sure that the CA can enroll certificates with this template. To do that we go back to the Certificate Authority console.
- Right Click on the Certificate Templates line and choose New->Certificate Template to Issue. Choose the template you just created and it should show on the right side in the console as an active template in your CA.
The finale step before we leave the CA server is to also give some rights to the Connector Server on the CA itself so that the machine running the Intune Connector can request and manage certificates on behalf of the Intune enrolled devices/users.
Step 2 – Enable, install and configure the Intune Certificate Connector
We have now done the necessary setup in our CA and are ready to install the Certificate Connector. This must be installed on the computer we gave rights to in the previuos section. So now we can leave the CA server and log on to the server we are installing the connector on.
First we need to log into the Intune console on https://manage.microsoft.com and go to the Admin workspace in the console. From here we go to Mobile Device Management and select Certificate Connector. Click on Configure On-Premises Certificate Connector, mark the checkbox for Enable Certificate Connector and OK.
Next, click on Download Certificate Connector and save the ndesconnectorsetup.exe locally on the server you are installing it. The installation is pretty straight forward, the only thing is that you need to decide weather you want to use the computer account (default) or setup and manage a service account.
Step 3 – Create the certificate profiles in Intune (Showing iOS and Android in this post)
It is pretty straight forward from here. Just make sure you type the certificate template name correctly.
And as you can see you have a couple more choices to make on the Android device.
Step 4- Check status and where to look for logs and errors
There is a few places to check if this is working. On the connector server you have the Microsoft Intune folder under Program Files. Here is both the installation and the logs:
Under PfxRequest folder you will find 3 new folders that contains the request-files. Here you can see that your requests from Intune goes through the Proccessing folder to the Succeed Folder. If you have anything in the Failed folder you might want to check your logs under C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs .
I reccommend that you download and install Microsoft Service Trace Viewer which is a part of the Windows SDK for Windows Server 2008 and .NET Framework 3.5.