0

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.

CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth.

CA2 is responsible for issuing certificates to servers and has a template Server Auth.

Auto-Enrollment is enabled on all Workstations and servers in our domain and working.

Problem:

Workstations should only target CA1 for auto-enrollment
and servers should only target CA2 for auto-enrollment.

I want to achieve this using group policies.

I know that I can allow auto-enrollment on a template only for members of security groups, and that would work.

However, I prefer a solution using group policies, because we organise workstations and servers in different OUs. I can target both groups with group policies on OUs. The security group solution would require us to manage two new security groups on top of that.

Is it possible to configure a workstation or server to only auto-enroll from a particular Enterprise CA? I'm open to alternatives, if they can be achieved using group policies.

Daniel
  • 6,940
  • 6
  • 33
  • 64

1 Answers1

1

I'm open to alternatives, if they can be achieved using group policies.

I think you went in wrong direction. The solution is chosen based on a problem, not opposite. Your requirement (GPO only) isn't justified by a problem.

Let's focus on a problem:

  • Workstations should only target CA1 for auto-enrollment
  • and servers should only target CA2 for auto-enrollment

this task is solved by permissions. Put workstations in a security group (let's say "Workstations") and grant Read, Enroll and Autoenroll permissions to "Workstation Authentication" certificate template. Assign this template only to CA1.

Put servers in a security group (let's say "Servers") and grant Read, Enroll and Autoenroll permissions to "Server Authentication" certificate template. Assign this template only to CA2.

Single autoenrollment GPO can be applied to top-level OU or even at domain level. It is a good practice to have autoenrollment GPO applied at domain level and exact autoenrollment settings (who and what templates can use for autoenrollment) are controlled by certificate template permissions and template assignment to corresponding CAs.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Thanks for your reply. Is it possible to tell a client what ADCS server to target for auto-enrollment? I agree, that using security groups if preferrable but I disagree with your assessment, that my approach is bad practice. Security groups do impose additional work in our current environment. It is normal practice to deploy policies based on OU, my approach falls in line with that. – Daniel Jan 12 '22 at 16:09
  • `Is it possible to tell a client what ADCS server to target for auto-enrollment?` -- no. I've outlined how it should be done according to best practices. `It is normal practice to deploy policies based on OU` -- not for autoenrollment due to its specifics. – Crypt32 Jan 12 '22 at 16:16