Active Directory configuration

Publishing trust chain

This section details how to publish the trust chain within Active Directory. If several WinHorizon servers are installed or, the procedure detailed in this section must only be executed once. If the trust chain is already published, this procedure does not need to be performed.

1. Launch a ‘cmd.exe’ using a the privileged account (using the ‘RunAs’ command);

2. Execute the following command to add Root CA:

certutil -f -dspublish "C:\<PATH_TO_ROOT_CA_CERTIFICATE>" rootca

3. Execute the following command to add Subordinate CA:

certutil -f -dspublish "C:\<PATH_TO_SUBORDINATE_CA_CERTIFICATE>" subca

4. Execute the following command to push new Active Directory schema:

certutil -pulse

Microsoft Certificate Template creation

Create/Update the Microsoft Certificate Template using the privileged account and Certificate Templates’ snap-in (through MMC).

EverTrust advises to duplicate existing Microsoft Certificate Template in order to create new ones consumed by WinHorizon:

  • Duplicate the Kerberos Authentication template if you want to issue Domain Controllers certificate (compliant with Kerberos requirements);

  • Duplicate the Workstation Authentication template if you want to issue Machines certificates (Workstation, server);

  • Duplicate the SmartCard Logon template if you want to issue User authentication certificates.

Please ensure that template ACLs are properly configured. WinHorizon requires each template it manages to have at least the permission Read for the group Authenticated Users. Moreover, EverTrust recommends to create AD local groups and grant Read/Enroll/Auto enroll rights on proper Microsoft Certificate Template. Adding assets on group will automatically grant proper permissions on Microsoft Certificate Template.

Enabling Auto Enrollment through a GPO

On Windows hosts, Auto Enrollment is enabled through GPO settings. These GPO settings can be added to an existing GPO or a dedicated GPO can be created regarding this usage. This GPO must be mapped on the Active Directory forest so that machine (Domain Controllers, Computers, Servers, Users) targeted by auto enrollment receive this GPO.

1. Launch the Group Policy Management console;

2. Edit or create a GPO regarding Auto Enrollment;

3. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies:

4. Edit the Certificate Services Client – Auto-Enrollment settings;

5. Specify the following settings:

  • Configuration Model: Enabled;

  • Check Renew expired certificates, update pending certificates, and remove revoke certificates;

  • Check Update certificates that use certificate templates;

  • Leave the other settings with default value.

And hit the OK button.

6. Ensure that this GPO is linked to an OU targeting the machines where auto enrollment must be enabled.

Regarding specific AD attributes

All of the AD attributes that map to a supported attribute in the RFC 5280 are natively supported by WinHorizon. Moreover, the following attributes can be consumed and re-mapped through the Horizon CSR data mapping feature:

  • company

  • department

  • displayName

  • employeeNumber

  • employeeId

  • samAccountName

  • title

If you plan on using these attributes' values in your certificates through WinHorizon, it is important to note that WinHorizon fetches the attributes' values from the Global Catalog component of the AD and not from the LDAP. This means that if you edit these attributes through the "Active Directory Users and Groups" or through ADSI Edit in LDAP mode, the value of the aforementioned attributes will have to be manually replicated using the following steps:

  1. Ensure that you have an account with Enterprise Admin and Schema Admin permission in the AD;

  2. Start the MMC with the aforementioned permissions and load the "Active Directory Schema" snap-in;

  3. In the "Attributes" folder, search for the attribute that you plan on using through WinHorizon (ex. employeeNumber) then right click and open its Properties;

  4. Check the Replicate this attribute to the Global Catalog box then click Apply;

  5. Open a cmd prompt with Enterprise Admin permissions then run the following command: repadmin /syncall

The userPrincipalName (UPN), objectGUID (GUID) and securityID (SID) are retrieved as expected by WinHorizon without having to do these extra steps.