Skip to content

Setting Microsoft AD CS permissions

TLS Protect Cloud can manage certificates issued by Microsoft Active Directory Service (AD CS) if you configure AD CS to connect to TLS Protect Cloud.

When setting up AD CS with TLS Protect Cloud, it is essential to use the appropriate Service Account or User Account with the necessary permissions to ensure a smooth and secure connection.

This topic walks you through how to set up your Microsoft AD CS account so that it can integrate with TLS Protect Cloud. Go through these steps prior to setting up the AD CS certificate authority in TLS Protect Cloud.

Service Account Requirements

To connect Microsoft AD CS to TLS Protect Cloud, you must use a Service Account with the following permissions:

  • Read - Necessary for the Service Account to access CA configuration and certificate information, ensuring it can perform its duties correctly.

  • Log on as a service - Required because the certificate service (VSatellite Worker, which is the bridge that allows VSatellite to interact with AD CS) runs as a background service. Without this right, the Service Account cannot start the service, leading to failures in certificate issuance and management.

  • Issue and Manage Certificates - Allows the Service Account to issue, revoke, and manage certificates, which is essential for maintaining the CA and its operations.

  • Request Certificates - Allows the Service Account to request new certificates, a fundamental function in certificate management.

Set AD CS permissions

Following these steps will allow TLS Protect Cloud to enroll certificates for any template that does not require a signature and to which its group has been given Enroll permissions.

  1. Create an Active Directory group.

  2. Create an Active Directory user account to use when enrolling with Microsoft AD CS.

    About the term user account

    In this context, a user account is synonymous with service account. In Windows, a service account is just a user account that represents an application rather than a person.

  3. Add this user to the group you created.

  4. Using the Certification Authority MMC snap-in, right-click on the CA name and select Properties. On the Security tab, add the group and grant it Read, Log on as a service, Issue and Manage Certificates and Request Certificates permissions.

    Adding MMC snap-ins

    If you're not familiar with using MMC snap-ins, see Adding an MMC Snap-in below.

  5. Using the Certificate Templates MMC snap-in, right-click on a template that TLS Protect Cloud will enroll and select Properties. On the Security tab, grant the group Read and Enroll permissions. Repeat this step for all templates that this group will enroll.

  6. Create a Microsoft AD CS Certificate Authority in TLS Protect Cloud. TLS Protect Cloud will automatically test that the used group can enroll certificates for the specified templates.

What's Next

You're now ready to set up an AD CS certificate authority in TLS Protect Cloud. Have the following AD CS information ready before you begin:

  • IP or hostname of your Microsoft AD CS server
  • Username and password for the AD CS account you set up in these steps

  • Microsoft AD CS Issuing Certificate Common Name

    Where can I find the Common Name?

    There are two ways to obtain the Common Name of the Issuing Certificate:

    • Open the Issuing Certificate, go to the Details Tab and check the CN value for Issuer.

    • From the Certification Authority MMC snap-in, expand the root node, and the name of the CA itself is the CN of the Issuing Certificate. In the example below, the CN is VaasQATestCA.

      Screenshot showing where to find the CN in the MMC

Adding an MMC Snap-in

If you're unfamiliar with how view the MMC snap-ins referenced in the steps above, follow these steps.

  1. On your Windows server, select Run from the Start menu, and then enter mmc. The MMC opens.

  2. From the File menu, select Add/Remove Snap-in. The Add or Remove Snap-ins window opens.

  3. From the Available snap-ins list on the left, select the snap-in that you want to add, and then click Add.

  4. For the Certificate Authority MMC snap-in, select the computer you want the snap-in to manage. If you're performing these steps from your AD CS server, click Local Computer. Otherwise, select Another Computer and specify your AD CS server.

  5. Click Finish, and then click OK.