question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked BojanZivkovic-7448 edited

Certificate Enrollment Web Service/Policy Web Service research - cross-forest PKI certificate auto-enrollment

Hi, is it possible to use Certificate Enrollment Web Service/Policy Web Service to auto-enroll certificates to systems in forests without any trust with forest where 2-Tier PKI resides? If so how, for instance, servers/desktops/laptops will auto-enroll their certificates such as ConfigMgr client cert needed for HTTPS communication since typical auto-enrollment is AD/GPO "feature". What "initiates"/"triggers" certificate auto-enrollment on a machine?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

The answer is No. Cross-forest certificate enrollment requires a two-way forest trust. No exceptions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BojanZivkovic-7448,

Thank you for posting here.

If there is no two-way forest trust, we can try to deploy cross-forest certificate enrollment in AD test lab according to the following article if needed.

Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.

For more information, please refer to link below.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered DaisyZhou-MSFT commented

I followed document above and could not find (if I did not miss) part where system in untrusted forest/non-domain joined got certificate via autoenrollment. I guess if those two GPO settings are configured:

Certificate Services Client - Certificate Enrollment Policy
Certificate Services Client -Auto-Enrollment

system in untrusted forest/non-domain joined will get certificates automatically at next GPO refresh - but, what also is not covered is how to allow certificate auto-enrollment of specific template in terms of permissions (to which security principals read/enroll/auto-enroll permissions should be assigned).

I definitely do not want to go to each client/server in any untrusted forest and enroll certificates manually, for instance ConfigMgr client certificate, it should be auto-enrolled but here as I said I do not see auto-enrollment in action - everything is manual. Every document I found had some holes and this one is no exception.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BojanZivkovic-7448,

Thank you for your update.

Yes, you are right.

The document above does not mention that in untrusted forest/non-domain joined will get certificates automatically.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered BojanZivkovic-7448 edited

I just would like to get 100% trustworthy information on this - if auto-enrollment of certificates to systems in untrusted forests is doable using CEP/CES or not. If answer is no then will tell my manager that only option is establishing two-way trust between forests with selective authentication if InfoSec won't allow forest-wide authentication. In that design I do not see a place for CEP/CES. Difference between auto-enrollment and enrollment of certificates is huge, particularly in untrusted forests with hundreds or thousands of systems.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.