Hi - great video thanks!! Do you happen to have the steps/roles installed on the server please as I'm trying to create a similar setup and not so sure what Windows Features need to be installed to attain the setup you have? Thanks in advance
Thank you for watching and I'm glad that you've found it helpful. You can see the roles installed at the start of the video. AD CS, AD DS, DNS and IIS are probably the most important ones. I hope that helps.
@@NetworkWizkid Thanks for the reply, appreciate it. I was more wondering what sub-roles (6 to choose) you included as part of the setup please i.e. Cert Enrollment Policy Web Service, Cert Enrollment Wev Service, Cert Authority Web Enrollment etc?
No problem! Ok, so I've taken a look and have the following: AD CS - Certificate Authority, Certificate Authority Web Enrollment Service and Online Responder Web Server (IIS) - Web Server and Management Tools DNS and AD DS are just standard. Hopefully that answers your question.
Great video, I did however have one slight issues, when trying to add "new template to issue", the new template i had created wasn't showing, fixed with the following PowerShell commands. certutil -setcatemplates +User-Modified certutil -setcatemplates +Computer-Modified
Thanks a lot, quite insightful. I have a question please, what if you need to define which cert template a computer should use for autoenrollment, where to define the template name in GPO? Thanks,
Great Video. I am running into an issues on my domain joined computer. The mmc snap-in for Certificates only allows me to add Current User, no option for Local Computer. Any ideas ?
Hi, I hope you can answer my question because I'm Stuck haha, If I Copy/clone the "workstation authentication" template how to be sure that it's going to be used on autoenrollment process?, Thank you!!
You could just create a new OU for Computers and one for Users. Then computers and users in those OU's would be issued certificates that are linked to them. Hope that helps and thank you for watching.
Hello Wizkiid. I am am an entry level desktop support tech, and I am have a very unique issue with certs after reimaging/Baseling machines. What is a way tom connect with you I would love some insight.
Hey Andre, thanks for reaching out. I'm sorry but I don't offer personal consulting, I suggest that you check with Microsoft support and there documentation for more information.
Very cool black magic type stuff. However, what does this certificate allow us to do ?? I was looking for something which would allow login without password. Or is this just in addition to the password ??
Thank you for watching! When you say 'login' I assume that you're referring to logging into say a Windows system where you typically use a username and password? If that is the case, then what we are achieving here is different. This video looks at how we can automatically deploy user and machine certificates that can be used for network level authentication. For example, this method could be used to push certificates to users and computers where Cisco ISE is deployed with policies that mandate that in order to access the network, EAP-TLS must be used (certificate authentication). Furthermore, within those policies could be rules that look for certain elements within a certificate before being able to authenticate. Here is a video example: th-cam.com/video/m2XARBDY86o/w-d-xo.html If you're referring to the latter that I mentioned at the start of this response then check out this post: support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf Furthermore, if you're interested in passwordless 2FA authentication for logging into systems such as Windows-based OS', keep an eye on Duo as they have some cool stuff in the works. duo.com/trial Bit of a long response, however, I how that makes sense and again, thanks for watching.
Hi, I'm planning to connect all the domain computers to wi-fi (Cisco Meraki), I need Machine authentication cos if its user authentication computer policy wont be applied. At present I have two DC's, is it okay to install CA on a different server? and what do in need to select whether Enterprise CA or a Standalone CA, ours is a mid sized company roughly about 350-400 users.
Hey, thank you for reaching out and for watching. I would think your question would be better suited in a Microsoft forum. However, here is a good answer to part of your question; serverfault.com/questions/826444/difference-between-microsoft-adcs-standalone-ca-and-enterprise-ca - Maybe look at how to create a sub-ca for one of your domain controllers and have the other acting as the root CA. I hope that helps and good luck.
Hi, i have a requirement to authenticate my AD user with smart card authentication(PKI). can you help me what need to i have to configure on my AD server so that user first authenticate the smart card pin .
Hey, thank you for watching. Try this article: learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/n.gif)
Thanks for the succinct video, I really didn't feel like going back over Microsoft documentation again! You've gained a subscriber
Welcome aboard! Thank you for your support.
Simple straight forward just what I needed.. Thank you keep them coming
Thank you Carl and thank you for watching.
Thanks for the simple walkthrough
Hi - great video thanks!!
Do you happen to have the steps/roles installed on the server please as I'm trying to create a similar setup and not so sure what Windows Features need to be installed to attain the setup you have?
Thanks in advance
Thank you for watching and I'm glad that you've found it helpful.
You can see the roles installed at the start of the video. AD CS, AD DS, DNS and IIS are probably the most important ones. I hope that helps.
@@NetworkWizkid Thanks for the reply, appreciate it. I was more wondering what sub-roles (6 to choose) you included as part of the setup please i.e. Cert Enrollment Policy Web Service, Cert Enrollment Wev Service, Cert Authority Web Enrollment etc?
No problem! Ok, so I've taken a look and have the following:
AD CS - Certificate Authority, Certificate Authority Web Enrollment Service and Online Responder
Web Server (IIS) - Web Server and Management Tools
DNS and AD DS are just standard.
Hopefully that answers your question.
Great video, I did however have one slight issues, when trying to add "new template to issue", the new template i had created wasn't showing, fixed with the following PowerShell commands.
certutil -setcatemplates +User-Modified
certutil -setcatemplates +Computer-Modified
Thank you for watching and sharing that addition. I've not come across that issues but good to know nevertheless.
Thanks a lot, quite insightful. I have a question please, what if you need to define which cert template a computer should use for autoenrollment, where to define the template name in GPO? Thanks,
Thank you for watching. I believe that's done by creating OUs for certificates but I advise you to check the documentation from Microsoft.
Looking forward to more of your videos, thank you!
Thank you and thank you for watching.
Thank you so much, right to the point. This is going to help me soo much.
Thank you, it is so helpful. I would like to ask, how we can use these certificates to encypt files and assign only authorized users to open them?
Thank you for watching! I recommend that you look at OpenPGP or look for a guide on how to encrypt files based on the OS that you're using.
Great Video. I am running into an issues on my domain joined computer. The mmc snap-in for Certificates only allows me to add Current User, no option for Local Computer. Any ideas ?
Thank you!
Ensure that you're logged in as an admin on the machine and try again.
Great Work!
Thank you! Cheers!
I would give a thousand likes to this video
I appreciate it Colin and I'm happy that you found it useful, thanks for watching.
Hello Awsome stuff, i tried the same for my 2012 servers, but cant get the User Certificates..
Do you offer ur services as freelancer?
Hi Shajil,
Thank you for watching - please reach out to me at networkwiizkiid@gmail.com
Brilliant video thanks
Our pleasure!
Hi, I hope you can answer my question because I'm Stuck haha, If I Copy/clone the "workstation authentication" template how to be sure that it's going to be used on autoenrollment process?, Thank you!!
You could just create a new OU for Computers and one for Users. Then computers and users in those OU's would be issued certificates that are linked to them.
Hope that helps and thank you for watching.
Hello Wizkiid. I am am an entry level desktop support tech, and I am have a very unique issue with certs after reimaging/Baseling machines. What is a way tom connect with you I would love some insight.
Hey Andre, thanks for reaching out. I'm sorry but I don't offer personal consulting, I suggest that you check with Microsoft support and there documentation for more information.
Very cool black magic type stuff. However, what does this certificate allow us to do ?? I was looking for something which would allow login without password. Or is this just in addition to the password ??
Thank you for watching!
When you say 'login' I assume that you're referring to logging into say a Windows system where you typically use a username and password? If that is the case, then what we are achieving here is different.
This video looks at how we can automatically deploy user and machine certificates that can be used for network level authentication. For example, this method could be used to push certificates to users and computers where Cisco ISE is deployed with policies that mandate that in order to access the network, EAP-TLS must be used (certificate authentication). Furthermore, within those policies could be rules that look for certain elements within a certificate before being able to authenticate.
Here is a video example: th-cam.com/video/m2XARBDY86o/w-d-xo.html
If you're referring to the latter that I mentioned at the start of this response then check out this post: support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf
Furthermore, if you're interested in passwordless 2FA authentication for logging into systems such as Windows-based OS', keep an eye on Duo as they have some cool stuff in the works. duo.com/trial
Bit of a long response, however, I how that makes sense and again, thanks for watching.
Thank you. That was helpful
Glad it was helpful! Thank you for watching.
Hi, I'm planning to connect all the domain computers to wi-fi (Cisco Meraki), I need Machine authentication cos if its user authentication computer policy wont be applied. At present I have two DC's, is it okay to install CA on a different server? and what do in need to select whether Enterprise CA or a Standalone CA, ours is a mid sized company roughly about 350-400 users.
Hey, thank you for reaching out and for watching. I would think your question would be better suited in a Microsoft forum. However, here is a good answer to part of your question; serverfault.com/questions/826444/difference-between-microsoft-adcs-standalone-ca-and-enterprise-ca - Maybe look at how to create a sub-ca for one of your domain controllers and have the other acting as the root CA. I hope that helps and good luck.
Thank you, greate video!
No problem, thank you for watching.
Great content!
Thank you Sasha for your support, it means a lot.
My computers are enrolling for new certificates every time they reboot. I have followed everything in this video to a t. Any ideas?
Seems like strange behaviour, are the previous certificates being revoked when the new certificate is enrolled? What OS are you running?
Hi,
i have a requirement to authenticate my AD user with smart card authentication(PKI). can you help me what need to i have to configure on my AD server so that user first authenticate the smart card pin .
Hey, thank you for watching.
Try this article: learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows
Hello, Followed all the steps but certificate is not getting issued and pushed to clients
You must be missing something! Maybe watch the video again or check the support documents from Microsoft