Enabling PKI Enrollment with Centrify User Suite With Centrify User Suite you can enable mobile devices to request a certificate for PKI authentication for either WiFi networks, and/or Exchange ActiveSync. The certificates are requested from your existing CA attached to your Active Directory, and can be used on both ios and (supported) Android Devices. Why should organizations use PKI based authentication? Using certificates for authentication is much more secure than the standard username and password scheme. Users must have the proper certificate installed on the device in order to access corporate services such as WiFi and Exchange Active Sync. These certificates are stored in very secure keyrings on the device, and in many cases stored in a hardware secured device that thwarts tampering or removing the certificates without proper approval. Another advantage of using certificates is that the user no longer needs to remember and enter a password to access corporate services requiring PKI based authentication. Better security, and better user experience. Using Centrify User Suite Microsoft Certificate Services Set-up CA server for auto-enrollment The following steps assume you have a working certificate services role/service within your domain. If you do not, please follow the article for setting up a CA. http://technet.microsoft.com/enus/library/cc772393(v=ws.10).aspx This document will describe creating 2 certificates for use in device enrollment. A User certificate for Exchange/SMIME use, and a Computer certificate for device authentication into WiFi networks. Configuration: Active Directory Configuration In Active Directory Group Policy Management snap-in, Right click Default Domain Policy Select Edit to open the Group Policy Management Editor In the Group Policy Management Editor snap-in, go to User Configuration container Expand Policies Expand Windows Settings Expand Security Settings
Select Public Key Policy On the right pane, double click on Certificate Services Client Certificate Enrollment Change the policy to Enabled. Keep others as default, click OK to save it. Do the same for Computer Configuration policy. Windows Server CA Configuration In Certification Authority snap-in, Right click Certificate Templates Select Manage In Certificate Templates Console snap-in, Right click on User template Select Duplicate Template Choose Windows Server 2003 Enterprise and click OK In Template display name In General tab, fill in the information as follows Template Name: User-ClientAuth In Security tab, make sure Domain Users has the Enroll permissions set. In the Subject Name tab, click the Supply in the request radio button.
Duplicate the Computer certificate template, and name it Computer-ClientAuth, and set the same settings as above. In Certification Authority snap-in, Select Certificate Templates Right-click and select New->Certificate Template to Issue
Select the newly created User-ClientAuth template and click OK Do the same for the Comptuer-ClientAuth template Centrify Cloud Proxy Configuration Open the Centrify Cloud Proxy Configuration tool, and select the Mobile Settings Tab Make sure the appropriate CA is selected for the configuration as completed above
User and Computer certificates are now configured for deployment to mobile devices, and can be used for further policy involving Microsoft ActiveSync and/or WiFi profiles. If a policy is created that requires the use of certificates, the devices will automatically request and enroll certificates. You can then go back to the Certificate Authority tool, and check to make sure certificates are generated for mobile devices, under Issued Certificates. See the Centrify documentation for configuration guides for PKI authentication for ActiveSync and WiFI.