Auto-Enrol Exchange

Auto-enrolment is a Windows-specific protocol that allows Microsoft Windows devices to internally request certificates to a domain. This protocol not only covers renewal but also new requests as the client is informed of the need to request a certificate when it joins a domain through Group Policy. In most cases, there’s no user interaction required.

In theory, stock-standard Auto-Enrolment sounds like a great thing but the reality is these certificates can cause considerable security gaps and they can frequently cause disruptive outages if they are not properly monitored. In addition, finding these certificates before they expire can cause major headaches.

There is a constant need to audit issued certificates to identify those that might be out of policy or using outdated keys or algorithms. Certificate templates may be misconfigured, or sometimes auto-enrolled certificates fail to renew. Unfortunately, there are significant issues that may occur when not monitoring these certificates.

For many services, auto-enrolment allows a domain to believe a Microsoft CA is local to its environment, even if that is not the case. While this worked well, it can cause some issues related to needing to support DCOM. This represents a risk in zero trust environments where network segmentation has been achieved, relating to the number of ports that need to be made available for this solution to work.

Jellyfish provides support for the Windows Auto-Enrol Exchange feature set through the Jellyfish Auto-Enrolment service. Providing a platform by which certificates can be issued by a Jellyfish Certificate Authority and be deployed to Windows users and devices using Active Directory Group Policy. This is achieved by a Client-Side IIS Webservice which interfaces with the Jellyfish Portal to provide access to the Jellyfish Auto-Enrolment framework. Auto-Enrolment is deployed as Group Policy Objects. Control over additional Certificate Template fields is also configurable within the Jellyfish Portal interface.

It is a truth universally acknowledged that the manual issued certificates (SSL/TLS certificates) in your organisation are more likely to be actively managed, while the Active Directory (AD) auto-enrolment certificates may be left out in the cold. This is likely to be due to the scale of digital certificates in use and the limited IT resources many organisations employ to manage certificates.

The Cogito Group auto-enrolment feature supports MS-WCCE protocol through DCOM, to Microsoft’s new approach of MS-XCEP and MS-WSTEP. Our service is secure, reliable, and available. The backend service instance is highly available. Embedded, secure channel communications replace the need for other forms of encryption such as VPNs etc. The ability to filter all components of received requests against defined certificate policies is another advantage provided by the auto-enrolment service. The ability only needs one port to be open through a firewall and for that port to by default be the standard HTTPS port of 443 is also a benefit to many organisations.

– Ease of set-up – you simply need to run the installer to start used Auto-Enrol. This removes the issue of installing and configuring IIS and an IIS website. Jellyfish does all of that for you.

– Jellyfish manages the certificate templates for you. You don’t need to coordinate alignment of templates or windows security

– Deployed through Active Directory Group Policy as an Enrolment Policy Server.

– Highly available and redundant, configured through Active Directory Group Policy.

– Available through the Jellyfish Web portal, not requiring a VPN (although one may be used).

– Installed as a Microsoft Internet Information Services (IIS) Web Site.

– Improved logging through Windows Event Viewer, logs have been written with a focus on intuitive debugging.

– Modern and feature rich Installer, Uninstaller, and Repair tool.

– Written using ASP .NET Core 5 for speed and extensibility.

– Secured using Mutual TLS and protected by the Jellyfish permissions system.

– Implements the MS-XCEP and MS-WSTEP protocols in line with Microsoft Recommendations and Guidelines.

– Fully integrated with the Jellyfish Certificate enrolment framework.

– Certificates available from multiple competing Certificate Authority solutions (not limited to just Microsoft Certificate Services).

– Multiple Certificate Template support.

– Certificates available to view and revoke through the Jellyfish portal’s credential search functionality, including search filters specifically for Auto-Enrolment certificates.

– Certificate Subject and Subject Alternative Names configured to be collected from a variety of Active Directory fields and included in Auto-Enrolment Certificates.

– Auto-Enrolment Certificate issuance tallies, and pricing available through the Jellyfish Invoice reporting functionality.

Related
Check out our related content below:

• Certificate Automation
• API
• SCEP
• AEX