This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 72%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hey guys,
I have an 2-tier enterprise PKI in my on-premise AD domain and I was asked to enroll users certificates with the common name or the SAN based on the attribute sAMAccountName. Since the default CA policy module supports only fixed attributes like UPN, SPN, email and DN, I asked MS and the answer was: use MIM CM or write you own custom CA policy module.
MIM CM proposal has been rejected internally due to high level of complexity and the same for the "write-your-own-custom-CA-policy" by our dev-ops for difficulties in maintaining such an application.
Besides having been rejected, If I am not wrong MIM CM wouldn't support auto-enroll for certificates, therefore users should have to connect to the MIM portal and request/download/install it manually. So, no automation here.
Am I right ?
The second proposal seems not technically feasible, as it is recommended for stand-alone CA only, not for enterprise CA like mine
https://video2.skills-academy.com/en-us/windows/win32/api/certpol/nn-certpol-icertpolicy
Maybe someone here had to deal with this already and solved in another manner ?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Hal3s510 ,
Thank you for psoting here.
Besides having been rejected, If I am not wrong MIM CM wouldn't support auto-enroll for certificates, therefore users should have to connect to the MIM portal and request/download/install it manually. So, no automation here.
Am I right ?
A1: Certificate quto enrollment is for certificate template, I mean we should check the read , enroll and autoenroll permissions on the corresponding certificate templates.
First, auto-enrollment does not happen automatically. Group policy must be set to allow clients to auto-enroll and the types of auto-enrollment allowed. Next, that policy must be pushed out to all of the clients in the domain. Lastly, the certificate authority registered to that domain must have the templates issued for the certificates to be auto-enrolled. These include machine/computer, domain controller, and user certificates.
From the link we mentioned, it does not mention the information about the certificate auto enrollment.
I am not sure how MIM CM works.
Menawhile, we can consult our question on Microsoft Identity Manager forum so that dedicated support professional can further assist you with this request.
Microsoft Identity Manager
https://social.technet.microsoft.com/Forums/en-US/home?forum=ilm2&sort=lastpostdesc&brandIgnore=true&page=7
Reference
Deploying Microsoft Identity Manager Certificate Manager 2016 (MIM CM)
https://video2.skills-academy.com/en-us/microsoft-identity-manager/mim-cm-deploy
The second proposal seems not technically feasible, as it is recommended for stand-alone CA only, not for enterprise CA like mine
https://video2.skills-academy.com/en-us/windows/win32/api/certpol/nn-certpol-icertpolicy
A2: From the link you mentioned, it seems you are right.
Here is a similar case for your reference.
Autoenrollment using custom subject name
https://social.technet.microsoft.com/Forums/office/en-US/6c852c72-a65a-40ad-b87a-3306c2940884/autoenrollment-using-custom-subject-name?forum=winserversecurity
Thank you for yopur understanding and supports.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Daisy,
thanks for your quick reply.
I found the same post with a case similar to mine and unfortunately it doesn't help me
I'll ask the same question to the other channel you proposed - Microsoft Identity Manager forum
Luckily I managed to have a call with a MS representative in a couple of days on this topic. I hope that I can obtain the definitive answer for my question.
If that's the case, I'll update this post here.
Regards
Hello @Hal3s510 ,
Hope the needs can be achieved.
Thank you for your update and sharing in advance.
Best Regards,
Daisy Zhou