ADCS Enrollment Policy Web Service

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.

The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.

Requirements

  • Administrator privileges on the CEP server.
  • A deployed and functional Enterprise PKI.

Summary Steps

  • Enroll a Computer Certificate for the CEP server IIS binding.
  • Install the Certificate Authority feature with the Policy Web Enrollment Service role.
  • Determine the URI for client access to the CEP service.
  • Configure Group Policy to direct clients to the new CEP server.

Continue reading

ADDS Group Managed Service Accounts

This guide covers the creation and management of Active Directory Domain Services (ADDS) Group Managed Service Accounts (gMSA). Group Managed Service Accounts are system managed service accounts that behave much like computer accounts in that the system automatically manages and rotates the account password. A gMSA solves many of the security implications arising from using service accounts where passwords may be infrequently (or never) rotated and where multiple users may have access to the account’s credential.

Steps in this guide can be performed on any computer joined to the domain. Access to a domain controller is not necessary.

Requirements

  • Domain Administrator, or delegated privileges to create Group Managed Service Accounts and Security Enabled Groups.

Summary Steps

  • Create a Security Enabled Group
  • Create a Group Managed Service Account

Continue reading

ADCS Enrollment Web Service with Managed Service Accounts

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Continue reading

Ubiquiti UniFi Security Gateway Disable NAT

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.

Note: These instructions apply to the Unifi Security Gateway (USG) line of products, which are end of life. The config.gateway.json method does not exist on the UDM and UXG line of products.

If you’re here looking to disable NAT on a UDM or UXG product line, know that there is now an option in the web interface. Ubiquiti added controls directly in the web interface starting with UniFi Network 8.3.32 to control or disable NAT. See the UniFi Help Article.

Requirements

  • Unifi Security Gateway (USG)
  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Continue reading

IIS WMSvc Automated Certificate Management

I’ve added a new script to my GitHub PowerShell repository for managing the IIS WMSvc Certificate. The script WMSvc_InstallCertificate.ps1 is intended to be ran either by scheduled task or by command line and will attempt to detect when the Web Management Service (WMSvc) certificate needs to be replaced. Replacement certificates are sourced from an Enterprise Certificate Authority automatically. The IIS machine account must have privileges to enroll.

In my lab, this script is tied to a scheduled task that is automatically created by group policy on servers attached to the IIS role security group. This same security group is also granted enroll privileges on the certificate template. In effect, new servers created will automatically receive a trusted certificate for their management port and that certificate is rotated automatically before expiration.

Since my lab IIS installations run on Server Core, it is quite convenient to have the remote management service configured automatically.