Certificates

NoMAD and Certificates from Active Directory

NoMAD can use a user’s Kerberos ticket to connect to a Windows Web Certificate Authority and obtain a certificate for that user. This method works well, but does come with a few caveats that you should keep in mind:

  1. If you’re bound to AD, you’re probably better off using a profile via MDM or other management tool to get a user and/or machine certificate. Apple has put a lot of work into making this pretty seamless. The primary use of NoMAD in this case is for unbound machines, although the process will work well either way.
  2. NoMAD can only get a user certificate. Since NoMAD runs in user space, it has no access to any machine account credentials. Also, if you’re not bound to AD, you most likely don’t even have a machine account in AD in the first place.
  3. This method requires a Windows CA to have web enrollment turned on. This is a standard feature of Windows Server, but it’s not always turned on. The web enrollment also needs to be set to allow for either Kerberos authentication or Windows Authentication in Windows parlance.

Set Up

To have NoMAD get a certificate, you need to set the DNS name of the Web CA and the Certificate Template to use in NoMAD’s preferences. The DNS name is just the name; do not include http/https or any trailing path, e.g. dc1.nomad.test, not https://dc1.nomad.test/certsrv.

With these two options set, a new “Get Certificate” menu will show in the NoMAD menu, if a user is signed into AD. Selecting this item will cause a CSR to be generated locally and sent to the Web CA. Assuming that everything is in order, the CA will sign the CSR and send that back to the Mac. NoMAD will then add the signed certificate to the private key in the user’s keychain.

Additional Options

Check our page on Preferences for more information on how to automatically get a certificate, how to automatically renew a certificate, and how to ensure that the private key is set as non-exportable.

Troubleshooting

The simplest way to test this is to go to the Web CA using a web browser on the Mac. Safari is typically the easiest, as it requires no configuration to use Kerberos. With the DNS name of the CA, add /certsrv to get to the web enrollment page. You can then request a certificate using a certificate template through the web interface.

Some items of note here:

  1. The Mac needs to have full trust of the SSL certificates used on the Web CA for NoMAD to work. If your web browser tells you the connection is untrusted, you’ll need to ensure the certificates are fully trusted.
  2. If the web CA prompts for authentication and you already have Kerberos tickets for the user, the Web CA needs to be using Windows Authentication. This can be changed using the IIS tools on the Windows server.
  3. The certificate template to be used has to be available to the user that is requesting the certificate. This can be configured in the certificate template snap-in that’s part of the MMC on the Windows server.
  4. If the Web CA’s certs are trusted but the certificate pull still doesn’t work, use nscurl --ats-diagnostics --verbose https://server.domain.com from the CLI on the Mac with your Web CA’s DNS name substituted in. This will determine whether the TLS security on the Web CA is on par with what macOS is expecting. Often, the Web CA may be set up with TLS 1.0 or other older protocols. You’ll need to be on TLS 1.2 for NoMAD to use the Web CA.
  5. Finally, look at the CA on the Windows server and look for failed certificate requests. Other common issues can be discovered here, such as missing a set email for the user, or other configuration problems.