Product Documentation

Configuring Device Manager with Microsoft Certificate Services

May 07, 2015

You can configure Device Manager with Microsoft Certificate Services to generate user certificates for certificate-based authentication with WIFI, VPN, and Exchange ActiveSync profiles. You can also configure Device Manager as a Registration Authority to generate requests and to issue device identity certificates with Microsoft Certificate Services.

In addition, you can configure Device Manager to use external SSL server certificates and digital signature certificates from other PKI-trusted certificate authorities.
Caution: Changing the digital signature certificate or the SSL certificate authority will disable the management of currently enrolled devices and require a re-enrollment across all devices.

Device Manager can make certificate requests to Microsoft Certificate Services through web enrollment to enable certificate-based authentication for WIFI, VPN, and Exchange ActiveSync profiles. Device Manager does this by acting as a client to Microsoft Certificate Services and requesting certificates on behalf of users with enrolled devices. This section describes how to create a Microsoft Certificate Server entity and configure Device Manager to request certificates for users enabling certificate-based authentication.

Prerequisites

  • Microsoft Certificate Services running on Microsoft Windows 2008 Server R2 Standard or Enterprise Edition SP1.
  • Port 443 (default) open from Device Manager to Microsoft Certificate Services server.
  • Microsoft KB 980436 patch needs to be installed on Microsoft Certificate Services server.
  • Microsoft KB 272175 - Guidelines for configuring client certificate authentication mode for IIS 6.
  • Microsoft KB 953461 patch needs to be installed on Microsoft Certificate Services server on Windows 2008 Server Enterprise.
  • Web enrollment for Microsoft Certificate Services needs to be enabled.
  • SSL enabled on Microsoft Internet Information Services (IIS).
  • IIS configured to accept client certificate authentication.
  • The client certificate in .p12 format which is used to authenticate against Microsoft Certificate Services should be copied to the Device Manager server and made accessible.

To enable Web enrollment for Microsoft Certificate Services

  1. In Administrative Tools, click Server Manager.
  2. Under Active Directory Certificate Services, check to see if Certificate Authority Web Enrollment is installed.
  3. Select Add Role Services to install Certificate Authority Web Enrollment, if needed.
  4. Select Certificate Authority Web Enrollment and then click Next.
  5. Click Close or Finish when the installation is complete.

To enable IIS Web services

  1. Go to Administrative Tools and click Server Manager.
  2. Select Server Roles on the left side.
  3. Select the Active Directory Certificate Services role and the Web Server IIS role, and click Install.
  4. Close the Server Manager.

To configure Microsoft Internet Information Services for self-signed or external certificates

  1. Go to Administrative Tools and click Server Manager.
  2. Under Web Server (IIS), under Internet Information Services (IIS), select the host or top of the root and then click Server Certificates.
  3. Create a self-signed certificate or import an external certificate.

To configure Microsoft Internet Information Services

  1. In Administrative Tools, select Server Manager.
  2. Under Web Server (IIS), under Role Services, verify that Client Certificate Mapping Authentication and IIS Client Certificate Mapping Authentication are installed. If not, install these role services.
  3. In Administrative Tools, click Internet Information Services (IIS) Manager.
  4. In the left-hand pane of the IIS Manager window, select the server running the IIS instance for web enrollment and then click Authentication.
  5. Make sure Active Directory Client Certificate Authentication is Enabled.
  6. Click Sites and then in the right pane, click Bindings.
  7. Add an HTTPS binding if one does not exist.
  8. Go to Web Server (IIS) > Sites > Default Web Site > CertSrv
  9. Click SSL Settings and then click Accept for Client Certificates.

To create a certificate template for XenMobile certificate requests

  1. Open the an MMC Console with a domain administrator account and then add a Snap-In for Certificate Templates.
  2. Open Certificate Templates.
  3. Right-click the User template and then click Duplicate Template.
  4. Select Windows 2003 Server for the template type and then click OK.
  5. In Template Display Name, enter a certificate. Note the actual Template Name because you will need it later in the configuration.
  6. Optionally, select Publish certificate in Active Directory.
  7. Click the Request Handling tab and then specify Signature and Encryption.
  8. Enable or disable Allow private key to be exported.
  9. Select Enroll subject without requiring any user input.
  10. Select Supply in the request.
  11. Click OK on the warning window.
  12. Click the Security tab.
  13. Grant Enroll permissions to a user account that will be making the certificate requests from Device Manager.
  14. Open MMC and add a Snap-In for Certification Authority. Expand the CA server and right-click Certificate Templates.
  15. Make sure that User template as shown in the screenshot below exists within Certificate Templates. Make sure that User template exists, otherwise the server will be unable to issue a user certificate.
  16. Click New and then click Certificate Template to Issue. Select the certificate template you created in the preceding steps.

To generate the XenMobile client certificate

You can request certificate from any system in the domain; however, make sure to logon using domain service account credentials. The domain account must have local administrator rights to the system requesting a certificate from the Certificate Server.
  1. Either Run As a Domain User or initiate a Remote Desktop session to a system using Domain User credentials.
  2. Open a web browser and open the web enrollment page for Microsoft Certificate Services. This page is usually https://server.company.com/certsrv (certsrv is case-sensitive).
  3. Click Request a Certificate.
  4. Click User Certificate and the click Submit.
  5. Click Install the Certificate.

To export the client certificate

The client certificate that you request must be exported as a .p12 or PKCS12 certificate and copied to the Device Manager server.
  1. Export the certificate as a .p12 or PKCS12 certificate from the web browser used or from the Certificates console on the CA server.
  2. Open an MMC Console and add the Certificates Snap-in.
  3. Right-click the certificate that you requested and then click All Tasks and Export.
  4. In the Certificate Export window, click Next.
  5. Click Yes to export the private key.
  6. Enter a password for the exported certificate. You will need to remember this password.
  7. Enter a file name for the certificate export and then click Next.
    Note: The file name cannot contain spaces.
  8. Click Finish.
  9. Copy the filename.pfx or filename.p12 to the Device Manager server and specify a location.

To configure a Microsoft certificate server entity

  1. In the Device Manager web console, click Options.
  2. In the Options dialog box, from the left side select PKI > Entities.
  3. Click New > New MsCertSrv entity.
  4. In the Add a MsCertSrv entity dialog box, on the General tab enter the following information:
    1. Entity name. Type a name for your new entity, which you’ll use later on to refer to that entity. Entity names must be unique.
    2. Service root URL. The base URL of your Microsoft CA’s web enrollment service; for example, https://192.168.2.113/certsrv/ (the URL may use plain HTTP or HTTP-over-SSL).
    3. certnew.cer page name. The name of the certnew.cer page, if you have renamed it for some reason. If not, then you can leave this field empty.
    4. certfnsh.asp page name. The name of the certfnsh.asp page, if you have renamed it for some reason. If not, leave this field empty.
    5. Authentication type. Select No authentication, HTTP-Basic Authentication or SSL client certificate authentication. For the latter, you will have to upload the SSL client certificate to the repository (with its private key) and select it here
  5. Next, select the Templates tab. On this tab, you will need to list the Certificate templates for your Microsoft CA. Note that those must be the internal names, not the display names.
  6. Next, select the Custom HTTP parameters tab. On this tab, you can specify custom parameters that XenMobile should inject in the HTTP request to the Microsoft Web Enrollment interface. This will only be useful if you have customized scripts running on the CA.
  7. Next, select the CA Certificates tab. On this tab, you will be required to inform XenMobile of the signers of the certificates the system will obtain through this entity. When your CA certificate is renewed, all you need to do is update it in the repository and then the change will be effected to the entity transparently.
  8. Click Create.

To configure a Microsoft certificate services policy

Before you can configure a Microsoft certificate services policy, you need to configure a Microsoft CA credential provider in the Device Manager Options dialog box. Once the Microsoft CA credential provider has been configured, then you can create the policy that references the provider. For instructions, see To create a credential provider using external PKI entities.

  1. Click the Policies tab in the Device Manager console.
  2. On the left-hand pane, under iOS, click Configuration profiles.
  3. Click New Configuration > Profiles and Settings > Credentials .
  4. In the Credential configuration creation dialog box, on the General tab, enter the following information:
    1. Identifier. Type a name for the profile that identifies it uniquely to the user. This name must be unique and not in use by any other profile, or if this name matches the name of another policy, the first policy will be overwritten.
    2. Display name. Type a name of the profile as it will appear in the Device Manager web console.
    3. Organization. Type your company or organization name.
    4. Description. Type an optional description to describe the policy.
    5. In the Allow Profile Removal section, choose one of the following:
      • Always. Allows the profile to always be removable.
      • Authentication. Allows you to enter a required password that is used when profile is removed. Requires a password.
      • Never. Prevents the profile from ever being removed.
    6. Select the Automatic Removal Date check box if you want to select a specific date on which to remove the profile.
    7. Select the Duration until removal (in days) check box to specify a set a period of time after which the profile will automatically be removed.
  5. Next, select the Credential tab, and configure the following settings:
    1. Credential Type. Select Credential Provider.
    2. Credential Provider. Select the Microsoft CA credential provider you previously configured in the Device Manager Options dialog box.
  6. Click Create.

This policy can now be deployed to iOS devices. For information, see Creating Deployment Packages