Active Directory Certificate Services (AD CS): Explained

There are many components involved in running a certificate-based network. You need to establish trusted servers and certificate authorities (CA), make sure devices can enroll for certificates, authenticate users, manage the certificate life cycle, segment users for different group policies, and much more.

Microsoft offers their own CAs so Microsoft-based environments can implement a Public Key Infrastructure (PKI). PKIs are becoming more popular in the network security field because they enable electronic workflows and provide SSL server and email security, just to name a couple.

What Do Microsoft CAs Have to Offer?

Organizations running on Microsoft environments can use a Microsoft CA to leverage Active Directory and Microsoft certificate services to distribute certificates to all your domain-connected devices through group policies. Microsoft CA services are also free (technically, although human resources required to run them actually make them one of the most expensive PKI solutions) because they’re included in the Windows server.

Working with AD CS

Active Directory Certificate Services (AD CS) is a Windows server designed to issue digital certificates. Certificates have proven to be more secure and easier to use than passwords. Microsoft realized this and deployed AD CS to help Microsoft environments take advantage of certificate benefits.

NDES

Network Device Enrollment Service (NDES) is an AD CS role designed to streamline the certificate enrollment process by decreasing or limiting the necessity for passwords. NDES uses the SCEP gateway so devices without credentials are able to enroll for certificates.

End users can request multiple certificates with one or no passwords. NDES makes it possible for BYODs to gain network access.

How Windows Servers Handle AD CS

Public Key Infrastructures (PKIs) are set up in order to implement and manage digital certificates. Microsoft has periodically released new servers to stay up to date with the expanding certificate environment.

AD CS and Windows 2008 R2

While the function of certificate services has been a feature for previous iterations of Windows servers, the 2008 R2 release was the first one with a built-in AD CS certificate authority. 2008 R2 servers are common for organizations who don’t have a third party solution to verify certificates and just use a Standalone CA. With the rise in cloud-based network services though, standalone CAs might not cut it anymore for certificate services (we’ll discuss more about this further down).

AD CS and Windows 2012 R2

Windows 2012 R2 servers support a policy that allows NDES implementation so devices have an easier way accessing the network. NDES also makes it possible for BYODs to gain network access. 2012 R2 servers also come with new Windows PowerShell commands to restore and backup your CAs.

However, you must install your own policy module, either from a third-party or create one yourself.

AD CS and Windows 2016

As with previous deployments of Windows servers, the 2016 server implements a few hotfixes to improve certificate management, making it easier to check the status of multiple certificates at a time. Other Improvements include increased support for TPM key attestation for smart cards. Devices not on the domain can use NDES to get certificates for TPM attestation.

Is Active Directory Certificate Services (AD CS) a PKI?

AD CS isn’t technically a PKI, it provides a platform to build and implement a PKI. AD CS is linked to Active Directory, a Windows server that acts as a database. AD CS gives you the ability to build a PKI to push out certificates to devices on the network.

Getting AD CS to issue certificates onto every device sounds like an arduous task, which it can be if done manually. Luckily SecureW2’s PKI software can integrate with your AD-domain servers to set up auto-enrollment configuration policies.

Using Standalone CAs For AD CS Servers

A common practice for running AD CS is setting up an Offline root CA and assigning multiple intermediate CAs to it. Standalone CAs don’t require domain access, meaning they can remain offline for most of the time. Store the offline CA somewhere safe and use the intermediate CAs to enroll devices for certificates.

The offline CA method is noted for its security, but is becoming obsolete for an industry that is rapidly migrating to cloud-based environments. Online Enterprise CAs can offer far more advantages and match the security of offline CAs. The key is configuring your network to implement network security policies, which Standalones are incapable of handling.

Standalone CAs simply don’t have the ability to automate monotonous tasks such as enrollment. They do not offer certificate templates, meaning every certificate request must be made manually and approved by a CA manager, which is time consuming.

Set Up AD CS Server With Enterprise CAs

Enterprise CAs are better suited for certificate environments because they support certificate templates and can automate certain tasks like enrollment and certificate requests. Admins can configure templates and add them to the Enterprise CA for certificate issuance. Key archival and recovery is another advantage of Enterprise CAs; if you happen to lose a private key, it can be recovered and dealt with instead of risking it falling into the wrong hands.

APIs can automatically create a certificate request, send the request to the CA, and retrieve the certificate after being approved by the CA. All of this can be done without any end user interaction, removing the burden of misconfiguration. Enterprise CAs also have the advantage of working with On-Prem Connectors.

Can I use AD CS with my Mobile Device Management (MDM) Software?

Yes, many MDMs provide a connector to transfer all communications between the MDM and AD CS server.

Let’s take Jamf for instance, who offers a technical guide on how to install Microsoft CA’s and run AD CS. Jamf Pro can be installed onto your AD-domain infrastructure and you configure AD CS as a CA and distribute AD CS certificates to managed devices.

SecureW2 PKI MDM solutions can integrate with AD CS and your MDM provider to create AD CS certificates and distribute them all to managed devices through a SCEP gateway. Using our Management Portal, you can input your AD CS information and create a custom CA.

If you use SecureW2’s PKI, it can be directly integrated to your MDM and you can either skip AD CS entirely or import the AD CS CA to issue certificates to all managed devices. SecureW2 offers strong Gateway APIs for certificate enrollment, which we’ll go over in more detail further down.

You can configure your MDM settings to add the custom CA and have your MDM software distribute AD CS certificates to all Managed Devices.

Downsides with AD CS

Microsoft CAs Can Be Difficult to Use

It’s not an easy task deploying and managing a Microsoft CA. You will need a dedicated team with PKI experience in order for the implementation to go smoothly. After the setup, your team needs to stay up to date with best PKI practices to maintain uptime and reliability. That involves a lot of meetings and decisions to be made.

Microsoft CAs Can Be Expensive

Remember when we mentioned that Microsoft CAs are technically free, that’s the software. Microsoft CA’s come with hidden costs of hardware, hiring a team of experts and annual maintenance by that team of experts. Those expenses can add up, making the claim of “free” virtually meaningless.

AD CS Binding Issue With macOS Devices

Microsoft Group Policies (GPO) do not work on Mac devices, so admins are left looking for alternative solutions to push out configuration policies. In fact, a common best practice is to avoid binding altogether, instead opting for an AD CS Connector to get AD CS to work with your cloud environment. Popular MDMs like Jamf and Airwatch offer their own AD CS Connectors.

Cross-Site Scripting AD CS Exploitation

Cross-Site Scripting (XSS) is a type of attack where the perpetrator “injects” scripts into a web browser. Once the victim accesses the web browser, the scripts will execute malicious code that can farm credentials, change website content, or redirect to another page.

XSS attacks can happen in AD CS because the Web Enrollment does not properly sanitize user input, meaning nothing checks the user input before it’s stored in a database. Unsanitized user input can also lead to SQL injections.

Migrating from AD CS to the Cloud

AD CS relies on on-premise PKI hardware to manage certificate services. Cloud-based PKI solutions are becoming more widely used due to their versatility and cost-effectiveness. Any organization that’s not completely reliant on Microsoft products will experience issues. Instead of spending time troubleshooting issues to fix AD CS, organizations are looking for cloud PKIs that require less maintenance.

AD CS can only be run on-premise, which is not ideal for an industry quickly moving to the cloud. AD CS admins often feel that they have to maintain their current AD CS on-premises infrastructure because they see no cloud-based alternatives.

Luckily, there are cloud-based alternatives. Here at SecureW2, we offer an easy-to-use Managed PKI that was built from the ground up for the cloud. It comes built with the industry’s #1 rated device onboarding solution, to ensure all devices are properly enrolled for certificates, and features industry-exclusive certificate management solutions.

Securely Configure AD CS For Certificate Enrollment

SecureW2 PKI solutions not only make it easy to distribute and manage certificates, but AD CS can be integrated so your organization will be able to successfully migrate to the cloud. By integrating our software with your current PKI infrastructure or creating a new PKI with us, deploying certificate-driven security will be safe and easy to manage.

With SecureW2, your organization no longer needs to be held back from going to the cloud because you have on-prem AD CS hardware. Our services are easy to use and cost-effective, which you can find here.

Can I still Use AD CS After Migrating to Azure AD (Microsoft Entra ID)?

Many admins looking to transition to Azure are unsure how to implement a PKI on the cloud, or if it’s even possible. With SecureW2, you can easily setup your own cloud PKI without needing to overhaul your entire network infrastructure.

Azure can be integrated with SecureW2 to not only deploy certificates, but have devices enroll for certificates automatically. Azure’s Single-Sign-On feature starts the end user authentication process and devices are configured for self-enrollment. The certificate is configured to expire at a date pre-determined by the organization. No end user interaction required and no time spent by admins manually enrolling every device.

Microsoft Azure AD for BYODs

Azure can easily integrate BYODs with SecureW2, redirecting users to Azure Single-Sign-On. End user devices can automate self-service and enroll for a certificate. Organizations no longer have to be tied up managing outdated hardware, like AD-domain servers.

Microsoft Azure AD for Managed Devices

For managed devices, many organizations with Azure use Microsoft’s MDM, Intune. SecureW2 can integrate with Intune by creating a SCEP gateway to distribute certificates to managed devices.

Cloud PKI Solutions For Operating Systems

Deploying and managing a PKI is much simpler on the cloud because you can access it from anywhere and automate menial tasks. As we’ve covered, one of the menial tasks is making sure every device is enrolled for a certificate. Manually configuring devices for certificated is a thing of the past, even for environments that use AD CS.

Managed macOS

MDMs that run Apple devices can integrate with SecureW2 to create a powerful gateway that allows payloads to pass from servers to devices. You can configure those payloads to include policies that allow devices to request certificates automatically. SecureW2’s Management Portal allows you to see who’s on the network, when they’re on the network, and who’s been revoked.

Managed Windows OS

For Active Directory domain-joined devices, using SecureW2’s industry-first technology allows IT administrators to auto-enroll their Windows system for user and machine certificates with no infrastructure changes to their environment.

Managed Chromebooks

SecureW2 software can leverage a powerful Chrome extension with Google-approved communications, every managed Chromebook can have an individual user auto-enroll for certificates.

Running a certificate-based network seems like a daunting task, especially for AD CS environments that require on-prem servers. Luckily, SecureW2 offers a solution that can migrate your environment to the cloud. You can ditch or keep your AD CS servers and don’t need to overhaul your entire infrastructure. Certificate-based networks have a lot of components, but our services are easy to set up, manage, and cost-effective. Click here to see our pricing.