![](/uploads/1/2/7/6/127658124/664304865.png)
I’m trying to understand how we can get certificates, based on the Computer template, onto our Macintosh OS 10.5.8 workstations (the Windows workstations are no problem). We are going to use Cisco’s ACS to control which wireless workstations can access our Intranet. Workstations with a “Computer” certificate issued by our CA will have access to our Intranet; workstations without a “Computer” certificate issued by our CA will be segregated onto a VLAN that can only access the Internet.
To enable Mac OS users to easily add files or edit files in the native apps that are installed on their computers, install the Edit Service client on users' workstations. About this task Note that the Mac Edit Service supports SAML SSO and Kerberos/SPNEGO SSO. May 07, 2017 Kerberos approval on Mac Hi, I am using a Mac for my work. However, lately i am unable to edit documents in my desktop applications. I keep being asked for Kerberos. I keep trying a bunch of different combinations, both my ID provided from my clients, and also the internal AD I have gotten from my Employer.
(We’re going to be doing something similar with our wired workstations shortly, but my immediate focus is wireless clients.) The certificate we need is based on the Computer template.While researching our options, I came across a discussion forum entry, from Tom Ranson (available at ). There may be another solution available (other than the one presented in the discussion forum entry), so feel free to suggest alternatives. I’m going to include an edited/formatted version (for readability) of the discussion forum posts at the end of this post. There are three posts in the discussion forum entry that apply specifically to my situation: Tom Ranson’s initial post on the MacOSX and Windows CA discussion Joe Fonte’s questions Tom Ranson’s reply to Joe Fonte’s questionsI’m going to be doing a few more tests, but I welcome any suggestions that might simplify the process. Perhaps scripting for the initial certificate request or the renewal request or anything else that we can explore?Some background information that may prove useful (the last two bulleted points make more sense after reading the discussion forum entry): We’re using AD CS on two Server 2008 R2 Enterprise boxes.
We have an Enterprise Root CA and an Enterprise Subordinate CA (used for issuing certificates). We have about 50K Windows workstations and about 10K Macintosh workstations. We have the wireless access working with Windows workstations. Active Directory and Certificate Services are working as expected.
As a test, before trying to follow any of Tom’s procedures, I issued a certificate to an XP virtual machine, exported it and installed it on a Mac (our Root CA was added to the Mac previously – so the certificate initially issued to the XP virtual machine would be trusted). The Mac wasn’t able to connect; the ACS reported that there was a problem with the certificate (the DNS entry in the certificate didn’t match the Mac’s name). (Our Mac workstations are domain members.) Next I removed the Mac from the domain, renamed my XP virtual machine to the Mac’s name (based on our naming standard), got the certificate issued to the XP virtual machine and exported it and installed it on the Mac, removed the XP virtual machine from the domain and added the Mac back onto to domain. Wireless worked. Based on this – I’m wondering if the 5 certutil command line entries (in the one‑time‑only modifications section – prior to Step 1a), Step 2a, Step 2b, and Step 2C are actually needed.Funnily enough, I tackled this issue only last week. We have a large user base of corporate Mac's (OS X 10.5.8 +) which required access to our 'Trusted Devices' WPA2‑Enterprise wireless network.
It was desired that we treat them in the same manner as our existing much larger Windows XP Professional client base - that being with PEAP‑TLS, 802.1x machine certificate authentication. Due to compatibility restrictions on the Mac client side, we have had to resort to the less preferable EAP‑TLS (i.e.
No PEAP tunnel) for these devices - it’s a risk we're willing to take.It was a real headache to break the back of it; however I can provide you with these notes which should help you. We are yet to 'polish' the procedure. The client side CSR generation isn't pretty, but it works - and it’s easy for all IT staff to work with.Our environment consists of a Microsoft PKI; Root CA with 3x Enterprise subordinates (automatic issuing of computer certificates to Windows clients) and now 2x new stand-alone subordinate CA's to handle non-domain integrated clients (i.e. Mac's and Linux machines). In short, these instructions demonstrate how to enrol and configure machine certificates for an Apple Mac client (tested with 10.5.8 +) and a Microsoft stand-alone CA environment.This documentation assumes you are working on a fully-patched out-of-the-box client and Windows 2003 R2 Enterprise Edition CA configuration (as of 1st September 2009). Hi all, I have had a hard time to get it working with Enterprise CA, but I have been succesfull in the end.I have duplicated the template we have used for windows clients since beginning. Added the SAN in the CertSrv web interface as additional attribute, but never realized that the SAN was ommited by the CA because of it's default config.Running following command 'certutil -setreg policyEditFlags +EDITFATTRIBUTESUBJECTALTNAME2' and restarting CA svc enabled SAN on the CAand since then I am able to enroll the correct certs and connect with macs to our corporate WiFi using the system EAP-TLS profile.byeLHPS: I forgot to mention, I have used the syntax 'host/computerFQDN' for the CN in the request.
Hi all,engaged in similar project to include MACOS in our certificate based authenticated WIFI network, I read with a lot of interest the various posts above and I ended up with the following question.Indeed if you allow certifcate to be exportable, how do you make sure the machine you are accepting on your network is really the one which it's supposed to be (and you manage as a corporate asset) and NOT an unmanaged machine where someone would haveimported the certificate of legitimate asset.To keep confidence shouldn't we have unexportable certificates?Thanks in advance for your help. Hi all, I have had a hard time to get it working with Enterprise CA, but I have been succesfull in the end.I have duplicated the template we have used for windows clients since beginning. Added the SAN in the CertSrv web interface as additional attribute, but never realized that the SAN was ommited by the CA because of it's default config.Running following command 'certutil -setreg policyEditFlags +EDITFATTRIBUTESUBJECTALTNAME2' and restarting CA svc enabled SAN on the CAand since then I am able to enroll the correct certs and connect with macs to our corporate WiFi using the system EAP-TLS profile.byeLHPS: I forgot to mention, I have used the syntax 'host/computerFQDN' for the CN in the request.Hi LH,This thread has possibly too deep for my needs! But your post has been really helpful for me to know that Mac devices can pickup certs from a Microsoft CA. So thanks for that:)My next query is whether or not iOS devices like the iPad can support autoenrollment of certs over Wi-Fi.
Manually cert provisioning is not scalable for enterprise.I'm thinking that they probably dont have this feature support natively but it oculd be achieved through an app? Hi all, I have had a hard time to get it working with Enterprise CA, but I have been succesfull in the end.I have duplicated the template we have used for windows clients since beginning. Hi all, I have had a hard time to get it working with Enterprise CA, but I have been succesfull in the end.I have duplicated the template we have used for windows clients since beginning.
![Kerberos client for windows Kerberos client for windows](/uploads/1/2/7/6/127658124/151601461.png)
Binding Mac OS X to Active Directory- Double check that the Mac OS X client is pointed to your AD server for DNS.- Open /Applications/Utilities and launch Directory Access.- Check the Active Directory plugin checkbox.- Click on the Configure. Leveraging Active Directory on Mac OS XVI.
![](/uploads/1/2/7/6/127658124/664304865.png)