NoMAD and Certificates from Active Directory
NoMAD can use the Kerberos ticket of a user to connect to a Windows Web Certificate Authority and get a certificate for that user. This method works well, but does come with a few ideas that you should keep in mind.
- If you’re bound to AD, you’re probably better off using a profile via MDM or other management tool to get a user and/or machine certificate. Apple has put a lot of work into making this pretty seamless. The primary use of NoMAD in this case is for unbound machines, although the process will work well either way.
- NoMAD can only get a user certificate. Since NoMAD runs in user space it has no access to any machine account credentials. Also, if you’re not bound to AD, you most likely don’t even have a machine account in AD in the first place.
- This method requires a Windows CA to have web enrollment turned on. This is a standard feature of Windows Server, but it’s not always turned on. The web enrollment also needs to be set to allow for Kerberos authentication, or Windows Authentication in Windows parlance.
To have NoMAD get a certificate you need to set the DNS name of the Web CA and the Certificate Template to use in NoMAD’s preferences. The DNS name is just the name, do not include http/https or any trailing path, e.g. dc1.nomad.test not https://dc1.nomad.test/certsrv.
With these two options set a new “Get Certificate” menu will show in the NoMAD menu if a user is signed into AD. Selecting this item will cause a CSR to be generated locally and sent to the Web CA. Assuming everything is in order, the CA will sign the CSR and send that back to the Mac. NoMAD will then add the signed certificate to the private key in the user’s keychain.
Additional options, check our page on Preferences for more information on how to automatically get a certificate and automatically renew a certificate. Plus how to ensure the private key is set as non-exportable.
The simplest way to test if this will work is to go to the Web CA using a web browser on the Mac. Safari is typically the easiest as it requires no configuration to use Kerberos. With the DNS name of the CA add /certsrv to get to the web enrollment page. You can then request a certificate using a certificate template through the web interface.
Some items of note here:
- The Mac needs to have full trust of the SSL certificates used on the Web CA for NoMAD to work. If your web browser tells you the connection is untrusted, you’ll need to ensure the certificates are fully trusted.
- If the web CA prompts for authentication, and you already have Kerberos tickets for the user, the Web CA needs to be using Windows Authentication. This can be changed using the IIS tools on the Windows server.
- The certificate template to be used has to be available to the user that is requesting the certificate. This can be configured in the certificate template snap-in that’s part of the MMC on the Windows server.
- If the Web CA’s certs are trusted, but the certificate pull still doesn’t work, use
nscurl --ats-diagnostics --verbose https://server.domain.comfrom the CLI on the Mac with your Web CA’s DNS name substituted in. This will determine if the TLS security on the Web CA is on par with what macOS is expecting. It’s often found that the Web CA may be set up with TLS 1.0 or other older protocols. You’ll need to be on TLS 1.2 for NoMAD to use the Web CA.
- Finally look at the CA on the Windows server and look for failed certificate requests. Other common issues, like not having an e-mail address set for the user and other configuration problems can be discovered here.