EOBO with AD CS via DCOM

If you have a strong security policy for certificates and you want to use Microsoft’s Certificate Enroll On Behalf of Others (EOBO) function, integrate an Enrollment Agent Signing Certificate with Workspace ONE UEM powered by AirWatc8. This process uses Active Directory Certificate Services (AD CS) by means of the Distributed Component Object Model (DCOM) remote protocol for integration. By default, only domain administrators are granted permission to request a certificate on behalf of another user. However, you can grant a user or computer account other than a domain administrator permission to become an enrollment agent. To be an enrollment agent, the user or computer account registers for an Enrollment Agent certificate.

Note: For integration with Workspace ONE UEM, the user is a computer account. After an agent has an Enrollment Agent certificate, that agent registers for a smart card certificate and generates a smart card on behalf of anyone in the organization. The smart card user can log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is best that your organization maintain very strong security policies for these certificates. For Workspace ONE UEM to use a certificate in a profile used to authenticate a user, set up an enterprise certificate authority (CA) in the domain in an on-premises environment. Additionally, you must join the CA to the same domain as VMware AirWatch Cloud Connector in order to successfully manage certificates within Workspace ONE UEM. There are several methods for Workspace ONE UEM to retrieve a certificate from the CA.

• On-Premises - Components are Internal with no VMware AirWatch Cloud Connector - In an on-premises environment, all Workspace ONE UEM application servers are internal and the VMware AirWatch Cloud Connector is not installed.

• On-Premises - Devices Services in a DMZ with no VMware AirWatch Cloud Connector - In an onpremises environment, Devices Services is located in a DMZ and the CA and Workspace ONE UEM servers are internal. The VMware AirWatch Cloud Connector is not installed.

• On-Premises ‒ Components are Internal with VMware AirWatch Cloud Connector - In an on-premises environment, Devices Services, Workspace ONE UEM server, the CA, and VMware AirWatch Cloud Connector are internal.

• On Premises - Device Services in a DMZ with VMware AirWatch Cloud Connector - In an onpremises environment, Devices Services is located in the DMZ and Workspace ONE UEM server, CA, and VMware AirWatch Cloud Connector are internal.

• SaaS ‒ Components in the Cloud with VMware AirWatch Cloud Connector - In a SaaS environment, Devices Services, Workspace ONE UEM server, and the CA are in the clou4. The VMware AirWatch Cloud Connector and an internal CA are internal and must be in the same domain.

Prerequisites

• Use an on-premises Workspace ONE UEM environment.

Note: There is one scenario where a SaaS Workspace ONE UEM environment is supported.

• The certificate authority used in certificate integration must be a member of the same domain as the Workspace ONE UEM application server to install the Enterprise CA.
• Use a service account with administrative access to the certificate authority server.
• Use Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016.
• The Workspace ONE UEM console server and the VMware AirWatch Cloud Connector server (if you are using it), must communicate to the Microsoft Certificate Authority over all configured DCOM ports.

Note: If using VMware AirWatch Cloud Connector, the VMware AirWatch Cloud Connector server must comply with the hardware sizing requirements mentioned in the Workspace ONE UEM Recommended Architecture. Refer to the guidelines described for the Admin Console server.

• You can configure the port range to be any number of non-standard ports depending on your DCOM implementation. However, the listed ports are utilized by default.
• Port 135: Microsoft DCOM Service Control Manager.
• Ports 1025 - 5000: Default ports DCOM processes.
• Ports 49152 - 65535: Dynamic Ports.

Procedure

1. Set up the restricted enrollment agent signing certificate on the CA server.
   1. Enable LDAP referrels. Active Directory Certificate Services (AD CS) Certificate Authority (CA) requires enabling LDAP referrels so that Workspace ONE UEM can request certificates on behalf of some other service account user.
      1. Stop certificate services by running the following command, net stop certsvc.
      2. Enable LDAP Referrals, certutil -setreg policy\EditFlags +EDITF_ENABLELDAPREFERRALS.
         
      3. Start certificate services by running the following command, net start certsvc.
   2. Create a Restricted Enrollment Agent Certificate so you can generate a Restricted Enrollment Agent Signer Certificate.
      1. Open the Certificate Authority (CA).
      2. Expand the CA Name, Right click Certificate Templates, and select Manage.
      3. Right click the Enrollment Agent (Computer) template and select Duplicate Template. Name it per your preference.
      4. Select your Windows Server version.
      5. On the Request Handling tab, select Allow Private Key to be Exported.
      6. On the Subject Name tab, make sure Build from this Active Directory Information is activated and Subject Name format is set to Fully distinguished name.
      7. On the Security tab, give the enrollment agent servers Read and Enroll permissions.
      8. Click OK.
      9. Navigate back to the CA, right click Certificate Templates, select New, and select Certificate Template to Issue.
      10. Select the duplicate copy of the template created in the previous step.
      11. Click OK.
   3. Generate the Restricted Enrollment Agent Signer Certificate on any server that can connect to the Certificate Authority.
      1. Log in with a local admin account on the server when requesting the Enrollment Agent certificate on the ACC/DS/CN server.
      2. Open Microsoft Management Console, (MMC).
      3. Click File and select Add/Remove Snap in.
      4. Select Certificates.
      5. Select Computer Account.
      6. Select Local Computer and select Finish.
      7. Click OK.
      8. Expand Certificates (Local Computer), double click Personal, right click Certificates, select All Tasks, and select Request New Certificate.
      9. Click Next.
      10. Select Active Directory Enrollment Policy and select Next.
      11. Check the duplicate template created in earlier steps and select Enroll.
      12. Once completed, select Finish.
   4. Configure the certificate to make the private, if needed, and public keys using the network service.
      1. Right click the restricted enrollment agent signer certificate and select All Tasks followed by Manage Private Keys.
      2. Click Add.
      3. Type Network Service and select Check Names. Once added, select OK twice.
         Another option to using the network service is adding the service account to manage the private keys. This option requires that the AirWatch Cloud Connector service logs on as the service account.
   5. Depending on the need to install certificates on multiple servers, either export the public key or both the public and private keys.
      • If the certificate needs to be installed on multiple Device Services servers or VMware AirWatch Cloud Connector servers, export the public and the private key. When exporting the certificate to install on additional AirWatch Cloud Connector servers, the subject name is the name of the server the certificate was requested from (for example, requested from ACC1). Even though the subject name does not match the other servers you are importing the certificate to (for example, importing to ACC2 and ACC3), this disparity does not cause issues because the private key is also imported along with the certificate.
      • Right click the issued certificate, select All Tasks followed by Export.
      • Click Next.
      • Select Yes, export the private key and select Next. Select Include all certificates in the certification path if possible as well as Export all extended properties. Click Next.
      • Set a password and select Next.
      • Select a folder in which to save the exported certificate.
      • Click Finish.
        • If the certificate is installed on a single Device Services server or VMware AirWatch Cloud Connector server, export only the public key.
          1. Right click the issued certificate, select All Tasks followed by Export.
          2. Select No, do not export the private key, select Next.
          3. Select DER encoded binary X.509 (.CER), select Next.
          4. Select a destination for the exported certificate and select Next.
          5. Click Finish.
          6. If you have other DS servers or VMware AirWatch Cloud Connector (ACC) servers, you must import the certificate that was exported in previous steps. Skip this section if you have no other DS or ACC servers.
      • Open Micrsoft Management Console (MMC).
      • Click File and select Add/Remove Snap in.
      • Select Certificates.
      • Select Computer Account and select Next.
      • Select Local Computer and select Finish.
      • Click OK.
      • Expand Certificates (Local Computer) and select Personal. Right click Certificates, select All Tasks and select Import….
      • Select the PFX file exported in previous steps and select Next.
      • Enter the password created for this file in previous steps, make sure Include all extended properties is checked and select Next.
      • Ensure Place all certificate in the following store is set to Personal and select Next.
      • Click Finish.
2. Create a custom user template if you do not want to use the default Microsoft Certificate template to issue certificates to the end user. If using the default Microsoft Certificate template, consider using the template for client authentication certificates.
   1. On the CA server, under the Certificate Authority Name, right click Certificate Templates and select Manage.
   2. Right click a default template that is closest to your needs and select Duplicate Template.
   3. Select your Windows Server and select OK.
   4. Enter the Template display name and select Apply.
   5. Select the Issuance Requirements tab and select This number of authorized signatures. Under the Application policy drop-down field, select Certificate Request Agent and select Apply.
   6. On the Subject Name tab, select Build from Active Directory Information. Configure the name format as Fully Distinguished Name along with including the Email and User Principal Name. If you do not configure the subject name, the subject is blank and the certificate request fails.
   7. On the Security tab, give the service account Read, Enroll, and Auto Enroll permissions.
   8. Right click Certificate Templates under the CA name, select New, and select Certificate Template to Issue.
   9. Select the template that was just created and select OK.
3. SaaS environments can configure the VMware AirWatch Cloud Connector to deploy Enrollment On Behalf Of (EOBO) with ADCS on Microsoft’s Distributed Component Object Model (DCOM) substrate. If your Workspace ONE UEM deployment is strictly on-premises, you do not need to perform this step.
   1. On the VMware AirWatch Cloud Connector server, run services.msc.
   2. Stop the Cloud Connector service.
   3. Right-click the Cloud Connector service.
   4. Select Properties.
   5. Select the Log On tab.
   6. Under Log on as:, choose Local System account and enable the check box Allow Service to Interact with Desktop.
   7. Click OK to save settings and close the Properties page.

4. Connect Workspace ONE UEM to the certificate authority and upload your public key to the console.

   1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities > Certificate Authorities tab and select Add.

   2. Complete required text boxes and make the listed configurations.

      Option	Description
      Authority Type	Select Microsoft ADCS.
      User name	Enter the username and its corresponding password that has administrative access to the certificate authority server.
      Additional Options	Select Restricted Enrollment Agent.

   3. Upload the public key file (.cer) you exported when you set up the Restricted Enrollment Agent.

   4. Select Save.

5. Configure the request template in Workspace ONE UEM so that services in the console, like wifi, email, and VPN, can request secure communication with the configured certificate authority.

   1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities > Request Templates tab and select Add.
   2. Select the certificate authority you created previously. This step sets up the available options in the Certificate Template - Add/Edit window.
   3. Set the Issuing Template to either the default user template or the custom user template you configured earlier.
   4. Set the Requester Name to the lookup values {EmailDomain}{EnrollmentUser} for best results. Select user-specific lookup values. Device-specific lookup values are not supported.
   5. Click Save. You can stop here in the process unless you need to establish permissions on the VMware AirWatch Cloud Connector.

6. In some cases, steps used to configure the VMware AirWatch Cloud Connector may not be sufficient to establish the proper permissions required to log in to the server. Troubleshoot the permissions using a suggested method.

   1. Create a service account with full permissions. A service account runs the VMware AirWatch Cloud Connector servic5. Current service account permissions are subject to change if the permission levels can be successfully lowered.

      1. Add permissions for members of the following groups in Active Directory.
         • Domain Users
         • Enterprise Admins
         • Remote Desktop Users For example, the screen shot displays the permissions for the service account ‘caadmin’.
      2. Configure permission on the certificate authority (CA) server.
         • Member of Local Administrator Group. For example, the screen shot displays Local Administrator Group permissions on the CA Server.
         • Full permissions on the Certification Authority. For example, the screen below displays the full compliment of available permissions for ‘caadmin’.

   2. Use alternate VMware AirWatch Cloud Connector configuration.

      1. On the VMware AirWatch Cloud Connector server, run services.msc.
      2. Locate and stop the Cloud Connector service.
      3. Right-click the Cloud Connector service.
      4. Select Properties.
      5. Select the Log On tab.
      6. Under Log on as:, choose This account and Browse for the service account you created.
      7. Enter and confirm the password.
      8. Launch the Microsoft Management Console (mmc.exe) and open the personal certificate store of the local computer. Ensure you are logged in with an account that has admin permissions for both the VMware AirWatch Cloud Connector server and the domain, otherwise you may not be able to access MMC and also add a domain user to manager the private key.
      9. Select the Restricted Enrollment Agent.
      10. In MMC, right-click the Restricted Enrollment Certificate you added and select All Tasks and then Manage Private Keys.
      11. Add the service account and set read permissions.
      12. Click OK to save settings and close the Properties page.
      13. Add the service account to both the VMware AirWatch Cloud Connector and the Secure Channel Certificates.
          • Both these certificates are issued by the Device Services Child Certificate.
          • They are issued to AW Cloud Connector - VMware Enterprise Systems Connector and AW Cloud Connector - [OG Name].
      14. From services.msc, manually start the Cloud Connector service.

What to do next

If you see one of these error messages, review some troubleshooting tips.

• The system cannot find the file specifie4. 0x80070002 (WIN32: 2) The REA signing certificate might not be present on the console/DS server’s certificate stor5. You might have added it using your SSO AD user. These AD user-uploaded MMC certificates remain specific to that instance since they are not Network Admin users. Therefore, airwatchdev\svcscep (the network admin) cannot access the private key of REA certificate uploaded using awsso \shwethan.

  When adding an REA signing certificate to MMC, make sure you log in as the network admin (airwatchdev\svcscep). Then add the signing certificate to the certificate store and give proper network service access to it so that other network admin users can also access it.

  When you provide Service Account credentials on the CA configuration page in the Workspace ONE UEM console, the console/DS server performs a remote call to the server hostname using these service account credentials.

• Object reference not set to an instance of an object The CA server received the certificate request, but the policy module denied the request. The denial happens either because the LDAP forest referrals are not set (Step 1 of CA server), or because the user domain used is not correct or not associated with the CA server.

  For Issued certificates on the CA server, only requests from the Airwatchdev domain are processe4. AWSSO domain requests are rejected (atl01devcs21 CA is synced only with Airwatchdev AD, not with AWSSO). Therefore, we changed the directory mapping on the LGs to Airwatchdev and users from this domain for enrolling devices. The profile lands on the device with the correct client certificate for REA.