Issue certificate to IP address in AD CS

Question

We're trying to get a Sophos XG 210 to connect via LDAPS to an Active Directory Domain Services (AD DS) / Domain Controller (DC) server but doing so fails with the following two errors:

Device - AD server connectivity test failed

Connectivity to AD server %privateIPAddress% failed with error hostname does not match CN in peer certificate

I contacted Sophos and their senior technical support:

Verified the certificate configuration (AD CS' root CA certificate installed on the Sophos XG 210 and DC server's certificate installed on itself).
Advised that SFOS 16 (not SFOS 15) can only connect to an DC server via IP address so we'll have to use an IP address-based certificate, rather than a standard, name-based certificate.
Advised that SFOS 16's ability to connect to an DC server via name is being treated as a feature request by their development team and, therefore, has no ETA.

How do we get AD CS to issue a certificate to an IP address?

Update 2017/08/23 17:58:

I have:

Read:
1a. Microsoft's support article How to add a subject alternative name to a secure LDAP certificate
1b. Microsoft's TechNet article How to Request a Certificate With a Custom Subject Alternative Name
1c. Microsoft's blog How To Request Certificate Without Using IIS or Exchange
Created file RequestPolicy.inf with the following contents:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=%DC_Server_FQDN%"

Exportable = FALSE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

RequestType = PKCS10

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "ipaddress=%DC_Server_IP_Address%&"

[RequestAttributes]
CertificateTemplate = WebServer

Executed elevated commands:
3a. certreq -new "%Path%\RequestPolicy.inf" "%Path%\certnew.req"
3b. certreq -submit "%Path%\certnew.req" "%Path%\certnew.cer"
3c. certreq -retrieve %Request_ID% "%Path%\certnew.cer"
3d. certreq -accept "%Path%\certnew.cer"
Found that the AD CS' CA-issued certificate was installed and:
4a. Its field Subject Alternative Name included IP Address=%DC_Server_IP_Address%
4b. Its field Certificate Template Name was WebServer but I think it needs to be DomainController
Reconfigured file RequestPolicy.inf replacing line CertificateTemplate = WebServer with line CertificateTemplate = DomainController
Executed new elevated certreq commands which failed with the following error:

Active Directory Enrollment Policy
{%GUID%}
ldap:
RequestId: %Request_ID%
RequestId: "%Request_ID%"
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377) Certificate Request Processor: The DNS name is unavailable and cannot be added t o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module

Used Certification Authority to reconfigure certificate template Domain Controller Authentication changing Subject Name from Build from this Active Directory information to Supply in the request.

I haven't been able to get past the domain controller template-related errors.

Update 2017/08/25 09:10:

I have:

On the AD CS server, duplicated template Domain Controller as template Domain Controller 2 with Subject Name changed from Build from this Active Directory information to Supply in the request.
On the DC server, executed new elevated certreq commands which failed with the following errors:

Template not found. Do you wish to continue anyway?
DomainController2

Certificate not issued (Denied) Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Ce rtificate Services policy: DomainController2/DomainController2.

The requested certificate template is not supported by this CA. 0x80094800 (-21 46875392)

Certificate Request Processor: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)

Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Domai nController2/DomainController2.

On the AD CS server, verified that the template Domain Controller 2's ACLs included allowing read for Authenticated Users.

Update 2017/12/04:

Sophos XG firmware 17.0+ supports the "feature" of connecting LDAPS via DNS, rather than IP address, so I no longer need to do this but I'm going to leave this question open as it still stands.

Have you added the IP address as the Common Name (CN) in the request? — garethTheRed, Aug 22 '17 at 18:30
The error is because template is configured to retrieve the subject from Active Directory. You need to duplicate certificate template and modify it to accept the subject from request. — Crypt32, Aug 24 '17 at 12:50
@Crypt32 But I kind of did that in update 2017/08/23 17:58 | step #7? — mythofechelon, Aug 24 '17 at 12:50
Yes, you changed "Domain Controller Authentication" template, but requesting against "DomainController" template. — Crypt32, Aug 24 '17 at 19:18

Issue certificate to IP address in AD CS

0 Answers0