Skip to content

Auto-Enrollment Connector overview

The Auto-Enrollment Connector (AEC) integrates Zero Touch PKI with Microsoft Active Directory. After you configure AEC, it runs as a Windows service and appears to Active Directory as a Microsoft Enterprise CA, forwarding certificate requests to Zero Touch PKI to issue certificates to users, computers, and domain controllers.

To integrate AEC, install it on a Windows server and connect it to Zero Touch PKI through an API endpoint. Then register AEC in Active Directory and map Active Directory certificate templates to Zero Touch PKI issuance policies.

AEC and MS-WCCE

AEC uses the Windows Client Certificate Enrollment Protocol (MS-WCCE), which defines Distributed Component Object Model (DCOM) interfaces that enable AEC to function as an enterprise CA in a Windows domain and issue, renew, and manage X.509 certificates.

Installation best practices

Do not install AEC on a server with Active Directory Certificate Services (ADCS) or any other MS-WCCE interface product installed. Co-installation prevents both services from functioning correctly and may require rebuilding the server to restore normal operation.

Do not install AEC on domain controllers in Production environments.

Before you begin

Before you install AEC, make sure your system meets the following prerequisites, and that you've completed all pre-installation tasks.

System requirements

  • 1 core CPU
  • 64-bit architecture
  • 4 GB RAM
  • 20 GB disk space
  • Preferred operating systems:
    • Microsoft Windows Server 2022 (Desktop Experience)
    • Microsoft Windows Server 2019 (Desktop Experience)
    • Microsoft Windows Server 2016 (Desktop Experience)
  • Microsoft .NET Framework Runtime 4.7.2 or later. Download the latest version from Microsoft.
  • A server joined to an Active Directory domain. If using multiple domains or forests, two-way trust relationships must be in place.

Account permissions

To install and configure AEC, you'll need the following account permissions:

  • Local Administrator: Required to install and restart AEC.

    Check Local Administrator status

    In PowerShell, run the following command. It returns true if you're a a member of the Local Administrators group:

    ([Security.Principal.WindowsPrincipal]([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
    If the command fails, check this status in Local Users and Groups instead.

  • Domain Administrator: Required to configure Enrollment Services, Active Directory certificate template mappings, and the Zero Touch PKI CA in the Windows Server NTAuth store.

    Check Domain Administrator status

    In PowerShell, run the following command. It returns true if you're a a member of the Domain Admins group:

    $UserGroups = (whoami /groups | Select-String "Domain Admins").Line if ($UserGroups) { "User is a Domain Admin" } else { "User is not a Domain Admin" }
    If the command fails, check this status in Active Directory Users and Computers.

Network access

To use AEC, the server on which it is installed must have the following network access.

Inbound requirements

Clients must be able to connect to AEC using Distributed Component Object Model (DCOM), on these ports:

  • TCP port 135 for Remote Procedure Call (RPC).
  • Dynamic ports 49152–65535. To change the port range, contact CyberArk Support.

Outbound requirements

AEC must be able to communicate with Zero Touch PKI via outbound HTTPS on port 443.

Test outbound connectivity

Run the following PowerShell command, based on your Zero Touch PKI instance region:

# Americas
Test-NetConnection -ComputerName ztpki.venafi.com -Port 443
# Americas Staging
Test-NetConnection -ComputerName ztpki-staging.venafi.com -Port 443
# Europe
Test-NetConnection -ComputerName ztpki.eu.venafi.com -Port 443
# Europe Staging
Test-NetConnection -ComputerName ztpki-staging.eu.venafi.com -Port 443
# Australia
Test-NetConnection -ComputerName ztpki.au.venafi.com -Port 443
# Australia Staging
Test-NetConnection -ComputerName ztpki-staging.au.venafi.com -Port 443

A successful test shows output similar to the following:

ComputerName     : ztpki.venafi.com
RemoteAddress    : 52.86.79.236
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 172.31.16.41
TcpTestSucceeded : True

API credentials

AEC uses Hawk API authentication to connect to Zero Touch PKI.

To configure AEC, you'll need the Hawk ID and Key from a Service Requestor account on your Zero Touch PKI instance. See Manage API keys.

Root and issuing CA certificates

Obtain the root and issuing CA certificates from your Zero Touch PKI instance. You'll import them to Microsoft Group Policy Management on the server(s) running AEC, along with all clients that perform auto-enrollment.

Use one of these methods:

  • Download certificates from Zero Touch PKI: On the Zero Touch PKI Certificate Authorities page, download root and issuing CA certificates in DER format.

  • Download certificates from AIA URLs: If you cannot sign in to Zero Touch PKI, use the certificate Authority Information Access (AIA) URLs, which were established during Zero Touch PKI instance setup.

Zero Touch PKI Policy IDs

From your Zero Touch PKI account, obtain the Policy IDs to map to Active Directory certificate templates.

ADSI Edit

CyberArk recommends ADSI Edit to validate CA certificates on your AEC server and inspect your configuration.

To install ADSI Edit, in Microsoft PowerShell, enter Install-WindowsFeature RSAT-AD-Tools.

Next steps

Once you've confirmed all prerequisites and completed all pre-installation tasks, you're ready to install AEC.