Using the AD Sync Control Panel

The AD Sync Control Panel is installed with the Appterix component of the AD Sync Service. The AD Sync Control Panel is located in the Utils folder of the AD Sync Service installation path (by default: C:\Program Files\EgoMind\EMADSyncService\Utils). It can be run as administrator on the AD Sync Service server.

The AD Sync Control Panel allows you to make changes to the server connection to the EgoMind platform, as well as to initialize the connection with the AD certification authority.

Furthermore, a health report can be generated for the AD Sync Service and the AD CS connection. 

Server connection

You can obtain the server URL, client ID and client secret in the EgoMind platform's web interface under Settings > Integrations > Configuration settings > Login information after clicking the Generate button.

Note: Each click on the Generate button creates new login credentials that must be entered in the AD Sync Service Control Panel.

For this step, it is sufficient for the user to open the AD Sync Control Panel as an administrator.

AD CS connection

In order for AD certificates to be created and used on the YubiKeys via Appterix Enrollment, a few steps are required beforehand.

Log on to the AD Sync Service server as an Enterprise Administrator in an interactive session and start the AD Sync Control Panel 'as administrator'.

NoteThis login to the server with an Enterprise Administrator is only required once.

In the AD CS Connect section, enter the same username and domain name as you specified in the connection settings of the AD Sync configuration settings in the EgoMind platform.

In order for the user specified for AD CS Connect and AD Sync connection settings to issue certificates, they must have the following permissions:
– Membership in the domain as a domain user.
– Membership in the AD Group Certificate Publishers.
– Login authorization for interactive sessions on the AD Sync Service server.

NoteIn some cases, logging in with the netBIOS name (domain/user) leads to errors when executing the AD CS connection. In these cases, you can enter the user's UPN (user@domain.extension) in the User Name field and leave the Domain Name field blank.

For CA Name, please enter the name of the CA, which you can obtain using the Certutil command line command under Configuration.

Then click Apply to allow the setup of the connection to the AD certification authority to be carried out in the background.

Activities during automated AD CS configuration

If, following the previous explanations, you clicked Apply in the AD CS Connect section of the AD Sync Control Panel, an automated configuration of Active Directory Certificate Services (ADCS) will be performed to create and use the Appterix SmartCard Logon certificate templates. 

In the background, a temporary PowerShell script is created under the interactive user session of the Enterprise Administrator, who had clicked Apply via the AD Sync Control Panel.

NoteIf a virus scanner or similar software is in use, please check whether the creation and use of this PowerShell script is being blocked.

The one-time initialization of the AD CS connection performs the following steps:
The script validates the target user and ensures that the script is executed in a domain environment (not locally).
The predefined SmartCardLogon template is located and used to create the new AppterixSmartcardLogon template. The AppterixSmartcardLogon template is created and configured in the Active Directory container CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration…
The Access Control List (ACL) of the new template Appterix Smartcard Logon, as well as the predefined template Enrollment Agent, is adjusted so that the user stored in the AD Sync Control Panel can read and enroll them. 
certutil is used to activate the new Appterix SmartCard Logon template and the Enrollment Agent template on the Certification Authority (CA).
If the publication of both templates fails, the script attempts to remotely restart the CertSvc (Certification Authority) service on the CA server.

Required temporary permissions during the initialization of the AD CS connection: 
The user executing the AD Sync Control Panel requires write permissions in the path CN=Configuration,DC=…. These are typically rights of the Enterprise Admins or Domain Admins group of the forest root domain, as well as the right to modify permissions (security tab) on objects in the "Public Key Services" container.
To add templates using `certutil -setcatemplates`, the user must be a "Certification Authority Administrator" on the CA. To restart the CertSvc service if necessary (Restart-Service), local administrator rights on the CA server are required (as well as enabled PowerShell Remoting/WMI). 

Temporarily required network and protocol permissions:
For the initialization of the AD CS connection, access to the domain controller via port 389 or 636, as well as RPC/DCOM for communication with the certification authority via certutil, is required.

Health Report

You can generate the Health Report as a JSON file by clicking "Generate Health Report" in your desired location. This report shows you the configuration of the AD Sync Service and the connection to the AD Certification Authority (AD CS). It is helpful for troubleshooting if there are errors in the connections to AD or AD CS. 

Summary

To set up the AD CS connection once, you need the AD Sync Control Panel, which is installed with the AD Sync Service. 

Open the AD Sync Control Panel in a Windows session of an Enterprise Administrator.

Specify a user with membership in the domain and AD group Certificate Publisher, as well as permission to log in locally to the server of the AD Sync Service, which you have also specified in the web interface of the EgoMind platform for AD synchronization.

Enter the name \ the AD Certification Authority and click Apply.

Should the connection to the AD CS fail, generating the Health Report via the AD Sync Control Panel will help.

Please note:

Each click on the Generate button in the login information section of the EgoMind platform's web interface creates new login credentials that must be entered in the AD Sync Service Control Panel.

For the one-time initialization of the AD CS connection, logging into the server with an Enterprise Administrator account is only temporarily required.

In some cases, logging in with the netBIOS name (domain/user) leads to errors when executing the AD CS connection. In these cases, you can enter the user's UPN (user@domain.extension) in the User Name field and leave the Domain Name field blank.

If a virus scanner or similar software is in use, please check whether it is blocking the creation and use of the PowerShell script to initialize the AD CS connection.

The Health Report is helpful for checking for sources of error if there are errors in the connections to AD or AD CS.