Skip to content

Overview: VSatellite Integration with Microsoft AD CS

With the retirement of the VSatellite Worker, integration with Microsoft Active Directory Certificate Services (AD CS) now functions directly via VSatellite. This architectural update eliminates the need for a separate VSatellite Worker and simplifies the connection and authentication process between VSatellite and the AD CS server.

Features and Benefits

  • Streamlined architecture: The integration no longer requires a separate VSatellite Worker. By connecting directly from VSatellite to the AD CS server, the overall deployment and ongoing management are simplified.

  • Kerberos authentication enabled by default: VSatellite now authenticates directly with AD CS using Kerberos when standard environmental conditions are met. While Kerberos authentication was technically possible with the Worker-based architecture, it required additional, customer-managed configuration on the Worker machine and was therefore rarely implemented in practice.

  • Improved security with reduced configuration effort: Kerberos is the recommended authentication method because it provides mutual authentication and stronger encryption than NTLM. The direct integration removes the need for customer-side Worker configuration to achieve these security benefits.

  • Built-in resiliency through automatic fallback: If Kerberos authentication cannot be established (for example, due to missing SPNs or an unreachable KDC), the system automatically falls back to NTLM to maintain connectivity—without requiring manual intervention.

  • VSatellite High Availability (HA) support: The direct integration now supports VSatellite High Availability configurations when using Microsoft AD CS, enhancing reliability and uptime for certificate operations.

Audience and Use Cases

This integration is intended for system administrators who are configuring and managing certificate issuance workflows between VSatellite and Microsoft AD CS. It applies to scenarios where you are setting up new AD CS connections, including migrating existing configurations that previously relied on the retired VSatellite Worker and required additional machine-side configuration.

Requirements and Compatibility

To successfully utilize the direct integration and enable Kerberos authentication, the following prerequisites and system requirements must be met:

  • AD CS Service Port Requirements: Network access that was previously configured for the worker machine must now be applied to the VSatellite machine. The VSatellite machine requires access to ports 135 and 49152–65535 on the AD CS Service.

  • Kerberos Authentication Conditions: All three of the following conditions must be met to use Kerberos (otherwise the system falls back to NTLM):

  • The Server address must be an FQDN (e.g., adcs.example.com), not an IP address.
  • The Username must include a domain qualifier, either in UPN format (user@DOMAIN.COM) or down-level format (DOMAIN\user).

  • LDAP connectivity must be available from the VSatellite machine to the Active Directory Domain Controller.

  • Domain Controller Port Requirements: The VSatellite machine requires standard outbound connectivity to the Active Directory Domain Controller on the following inbound ports:

  • Port 636 (TCP): LDAPS for SPN discovery (tried first).
  • Port 389 (TCP): LDAP for SPN discovery (fallback).
  • Port 88 (TCP/UDP): Kerberos KDC for ticket issuance.

What's Next

The topics in this section describe how to set up and configure the AD CS integration with Certificate Manager - SaaS.

Before you begin, ensure that you have a Linux server available for VSatellite. For details, see the system requirements.

Your AD CS service must also meet specific configuration requirements. For details, see Setting up Microsoft AD CS.

After the server is in place and AD CS is configured, follow the remaining setup steps described in Issuing certificates with Microsoft AD CS.