On Thu, Aug 15, 2019, at 4:20 AM, Sumit Bose wrote:
On Tue, Aug 13, 2019 at 02:05:06PM -0400, James Cassell wrote:
> Good afternoon,
>
> I'm working on a migration from Centrify to SSSD with Active Directory.
Everything works quite well except for one item. Centrify has a feature to request a
certificate from the AD CA that is automatically granted, given the AD credentials. This
is used for wired 802.1x authentication, among other things.
>
> Is there a way to get an AD cert via SSSD or related tools such as adcli? (Centrify
calls this command 'adcert'.)
Hi,
it looks like AD CS with NDES can support SCEP
(
https://tools.ietf.org/html/draft-gutmann-scep-14). Please see
https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/ for
details.
Thanks for the links! I did take a look at those. It looks like certmonger even supports
the same scep protocol, but it seems that it requires a one-time PIN to register, which is
an out-of-band manual process as far as I can tell. Red Hat even has some docs on it:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Seems like it would be convenient to have the one-time challengePassword (as it's
called in the spec) be (derived from) an appropriate kerberos service ticket, (but
that's just conjecture.) Somehow, this "just works" on Windows hosts with
the auto-enrollment AD policy (as also with Centrify on Linux), but I don't know how;
it could be (a variation on) scep for all I know.
Thanks for taking a look!
V/r,
James Cassell
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks in advance!
> >
> >
> > V/r,
> > James Cassell