Skip to content

Installing the Auto-Enrollment Connector

This topic explains how to integrate Auto-Enrollment Connector (AEC) with Zero Touch PKI in a Microsoft Active Directory environment. It covers preparing the environment, installing and configuring AEC, and testing the integration. After you complete these steps, you'll be ready to issue certificates in your Active Directory environment.

Before completing these steps, if you haven't done so already, review the prerequisites.

Step 1: Prepare your environment

To prepare your environment for AEC, complete the following tasks.

Install Microsoft Active Directory certificate templates

Active Directory certificate templates map to Zero Touch PKI certificate policies and define how X.509 certificates are issued. You can install the templates with Microsoft PowerShell or with Windows Server Manager.

  1. In PowerShell, enter Install-WindowsFeature RSAT-ADCS-Mgmt to install the Remote Server Administration Tools, which include the Certification Authority Management Tools. See the Microsoft documentation.
  2. In PowerShell, enter certtmpl.msc.
  3. In the Certificate Templates snap-in, verify that the templates appear.
  1. In Windows Server, in the Add Roles and Features Wizard, install the Certification Authority Management Tools. See the Microsoft documentation.
  2. In a command prompt, enter certtmpl.msc.
  3. In the Certificate Templates snap-in, verify that the templates appear.

Configure Microsoft Active Directory certificate templates

In the Certificate Templates snap-in, duplicate the default User, Workstation Authentication, and Domain Controller templates and configure them for Zero Touch PKI.

About compatibility settings

When configuring each template, you'll need to select two compatibility settings:

  • Certificate Authority: Minimum Windows Server version required for the CA to issue certificates using the template.
  • Certificate recipient: Minimum Windows version for clients or devices using certificates; ensures compatibility with features such as key storage, cryptographic algorithms, and certificate management.

Choose from the following options:

  • Windows 2000: Basic compatibility with older systems.
  • Windows Server 2003 and later: Supports modern cryptographic algorithms and management features.
  • Windows Vista/Windows Server 2008 and later: Supports custom key usage extensions and modern certificate attributes.
  • Windows 8.1/Windows Server 2012 R2 and later: Supports the latest cryptographic algorithms and certificate features, such as modern key attestation.
  • Windows 10/Windows Server 2016 and later: Supports the latest security protocols and cryptographic features, including advanced key storage and management. Recommended to maximize security and functionality.
  1. Right-click the User template and select Duplicate Template.

  2. In each tab, set the following options:

    Tab Value
    Compatibility Select compatibility options for Certificate Authority and Certificate recipient.
    General Enter a template name, a renewal period, and a validity period—which must be within range of the validity period for the corresponding Zero Touch PKI policy.
    Subject Name Do the following:

    1. Click Build from this Active Directory information.
    2. Under Subject name format, select Common name.
    3. Under Include this information in alternate subject name, select User principal name (UPN).
    Extensions In Application Policies, enter Client Authentication.
    Security When testing, grant Read permissions to the Authenticated Users group and Read and Enroll permissions to the Domain Users group.

    When ready to issue certificates in Production, also grant Autoenroll permissions to the Domain Users group.

  3. Save the duplicated template.

  1. Right-click the Workstation Authentication template and select Duplicate Template.

  2. In each tab, set the following options:

    Tab Value
    Compatibility Select compatibility options for Certificate Authority and Certificate recipient.
    General Enter a template name, a renewal period, and a validity period—which must be within range of the validity period for the corresponding Zero Touch PKI policy.
    Subject Name Do the following:

    1. Click Build from this Active Directory Information.
    2. Under Subject name format, select DNS name.
    3. Under Include this information in alternate subject name, select DNS name.
    Extensions In Application Policies, enter Client Authentication.
    Security When testing, grant Read and Enroll permissions to the Domain Computers group.

    When ready to issue certificates in Production, also grant Autoenroll permissions to the Domain Computers group.

  3. Save the duplicated template.

  1. Right-click the Workstation Authentication template and select Duplicate Template.

  2. In each tab, set the following options:

    Tab Value
    Compatibility Select compatibility options for Certificate Authority and Certificate recipient.
    General Enter a template name, a renewal period, and a validity period—which must be within range of the validity period for the corresponding Zero Touch PKI policy.
    Subject Name Do the following:

    1. Click Build from this Active Directory information.
    2. Under Subject name format, select DNS name.
    3. Under Include this information in alternate subject name, select DNS name.
    Extensions In Application Policies, enter Ensure Client Authentication, Smart Card Logon, KDC Authentication, and Server Authentication.
    Security When testing, grant Read and Enroll permissions to the Domain Controllers group.

    When ready to issue certificates in Production, also grant Autoenroll permissions to the Domain Controllers group.

  3. Save the duplicated template.

Validate certificates with ADSI Edit

You can validate certificates with ADSI Edit as an alternative method. In a command prompt, enter adsiedit.msc and go to CN=Configuration > CN=Services > CN=Public Key Services > CN=Certificate Templates. Confirm that the certificates appear.

Import CA certificates to Group Policy Management

In Group Policy Management, import your Zero Touch PKI root and issuing CA certificates as described in the Windows Server documentation.

  1. Right-click the Group Policy Object (GPO) on which you will enable auto-enrollment and select Edit.
  2. Go to Computer Configuration > Policies > Security Settings > Public Key Policies.
  3. Right-click Trusted Root Certification Authorities and select Import.
  4. Import your Zero Touch PKI root CA certificate.
  1. Right-click the Group Policy Object (GPO) on which you will enable auto-enrollment and select Edit.
  2. Go to Computer Configuration > Policies > Security Settings > Public Key Policies.
  3. Right-click Intermediate Certification Authority and select Import.
  4. Import your Zero Touch PKI issuing CA certificates.

Check Group Policy Objects for auto-enrollment

On the AEC server, run the following PowerShell script to scan Group Policy Objects and report which ones already have certificate auto-enrollment enabled.

Get-GPO -All | ForEach-Object {
    $gpo = $_
    $xml = $gpo | Get-GPOReport -ReportType Xml
    if ($xml -match "AutoEnroll") {
        Write-Output "GPO: $($gpo.DisplayName) has auto-enrollment configured."
    }
}

Enable certificate auto-enrollment in Group Policy

Enable certificate auto-enrollment as needed. For details, see the Windows Server documentation.

  1. In Group Policy Management, go to > Computer Configuration > Policies > Windows Setting > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment.
  2. Next to Configuration Model, select Enabled.
  3. Save the policy.
  1. In Group Policy Management, go to > User Configuration > Policies > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment.
  2. Next to Configuration Model, select Enabled.
  3. Save the policy.

Configure DCOM

On each AEC server, configure Distributed Component Object Model (DCOM) so that Windows clients can securely access Zero Touch PKI certificate services.

About DCOM

AEC uses DCOM to:

  • Allow Windows clients to communicate with the Zero Touch PKI CA.
  • Support certificate auto-enrollment.
  • Ensure that requests are authorized using a user or computer's security credentials.
  1. In an elevated command prompt, enter lusrmgr.msc to open Local Users and Groups.
  2. In Groups > Certificate Service DCOM Access, add the Authenticated Users group.
  3. In Groups > Users, add the Authenticated Users, Interactive, and Domain Users groups.
  1. In an elevated command prompt, enter dcomcnfg.exe to open Component Services.
  2. Go to Component Services > My Computer.
  3. In Default Properties, select Enable Distributed DCOM on this computer.
  4. In COM Security, under Access Permissions, click Edit Limits.
  5. For the Everyone and Certificate Service DCOM Access groups, select Local Access and Remote Access.

Step 2: Install AEC

Install AEC directly to the server(s) on which it will run. Download the latest executable from the CyberArk Marketplace.

Installation directories

AEC installs to C:\Program Files\HydrantID\AutoEnrollment. Its logs and database are stored in C:\ProgramData\HydrantID\AutoEnrollment.

  1. Sign in to the installation server using an account with Local Administrator and Domain Admin permissions.
  2. Upload the AEC executable to the server.
  3. Right-click the AEC executable and select Run as administrator.
  4. In the User Account Control dialog, click Yes.
  5. Accept the EULA and click Install.
  6. In the installation completion dialog, click Close.

Step 3: Configure AEC

Once AEC is installed, you configure logs, database maintenance settings, the Windows service, and any local proxy settings. You also add your CA to AEC and connect it to Zero Touch PKI.

Review log settings

Review the events you want to log and confirm certificate issuance logic.

Default settings recommended

CyberArk recommends the default settings for Debug Events and Certificate Issuance Retry Configuration.

  1. In AEC, click Logging.

    Logging page

  2. Select any of the following General Events:

    Event Description
    Report Requests Log certificate requests.
    Track Certificate Issuance Log the full certificate issuance lifecycle.
    Other Miscellaneous Log minor events such as service startups or restarts.

  3. Select any of the following Debug Events:

    Event Description
    COM / DCOM Log events specific to COM communication.
    Configuration Log events about AEC configuration changes.
    CA Communication Log traffic to and from the Zero Touch PKI REST endpoint.
    Trace Function Calls Log processing entry of functions.
    General Tracking Enable verbose logging; not recommended in a Production environment.
    Cert Issuance Timing Log certificate issuance timing from request to issuance.

  4. Under Certificate Issuance Retry Configuration, review the issuance logic.

    Setting Description
    Max Retries Number of attempts to fetch the certificate from the issuing CA as part of a single transaction from 0 to 5.
    Retry Wait Wait time in milliseconds between each attempt to fetch the issued certificate.

Configure a local proxy

By default, AEC uses proxy settings from the server it runs on. Configure a separate proxy if required.

Supported proxy settings

For supported settings, see the Microsoft documentation for the .NET Framework <defaultProxy> and <proxy> configuration elements.

  1. In a text editor, open C:\Program Files\HydrantID\AutoEnrollment\EnrollmentProxy.exe.config.

  2. Uncomment the <system.net> block, which contains example proxy configurations:

    <system.net>
    <defaultProxy>
    <proxy bypassonlocal="false" usesystemdefault="true" /> <!-- Use system proxy settings -->
    <proxy autoDetect="false" bypassonlocal="false" proxyaddress=http://127.0.0.1:8866 [127.0.0.1] usesystemdefault="false" /> <!-- Use a custom proxy -->
    </defaultProxy>
</system.net>

  3. Set usesystemdefault to false.

  4. In the proxyaddress attribute, enter your custom proxy address.
  5. In AEC, click Maintenance > Restart Services.

Configure CAs and template mappings

In this task, you add your issuing CA to AEC, connect AEC to Zero Touch PKI with an API key, and map Zero Touch PKI certificate policies to Active Directory certificate templates.

  1. In the Windows Start Menu, right-click AutoEnrollment Configuration and select Run as administrator.

  2. In Certificate Authorities, click Add Certificate Authority.

    Add a CA

  3. Enter a CA Name. CyberArk recommends including AEC's hostname, for example aec.yourcompany.com.

  4. Click Add Certificate Authority.

  5. In a command prompt, enter adsiedit.msc and go to CN=Configuration > CN=Services > CN=Public Key Services > CN=Enrollment Service. Verify that the CA object appears.

    Verify the CA object

    Warning

    To finish completing these steps, the Zero Touch PKI CA must appear in ADSI Edit.

  6. In AEC, in Certificate Authorities, click your Zero Touch PKI CA and select Zero Touch PKI.

    Configure the CA in AEC

  7. In URL, enter one of the following:

    • Americas: https://ztpki.venafi.com
    • Europe: https://ztpki.eu.venafi.com
    • Australia: https://ztpki.au.venafi.com

  8. In Hawk ID, enter your Zero Touch PKI Hawk ID.

  9. In Hawk Key, enter your Zero Touch PKI Hawk key.
  10. (Optional) To encrypt API credentials, select Store Encrypted.
  11. In Policy Mapping, click Add Mapping.

  12. In Policy, enter your Policy IDs from Zero Touch PKI, creating a new mapping for each.

  13. Click Save.

  14. Click Maintenance > Restart Services.

    You're finished configuring AEC. It's time to test the integration by requesting certificates from Zero Touch PKI.

Step 4: Test AEC

Use the Microsoft Certificate Manager Tool to confirm that certificate auto-enrollment works for users, computers, and domain controllers by manually requesting certificates directly from the AEC server.

  1. On the AEC server, in a command prompt, enter certlm.msc.
  2. In the Certificate Manager Tool, right-click Personal and select All Tasks > Request New Certificate.
  3. Click Next twice.

  4. Depending on the template to test, select the User, Computer, or Domain Controller template.

    Select a certificate

  5. Click Enroll.

  6. Once enrollment is complete, click Finish.

  7. In Personal, confirm that the correct certificate appears.

    Confirm the certificate

    Once you've tested certificate issuance for users, computers, and domain controllers, Auto-Enrollment Connector installation is complete.