AD CS Integration: Overview

What is Active Directory Certificate Services?

Microsoft Active Directory Certificate Services (AD CS) creates an on-premises public key infrastructure (PKI) that lets organizations issue, validate, and revoke certificates for internal use. The Kandji AD CS integration works with your existing Microsoft AD CS setup to request certificates from AD CS. You can then push these certificates to devices through configuration profiles, which enables certificate-based authentication so users can access corporate resources like enterprise Wi-Fi networks.

Network requirements

For a full list of network requirements for Active Directory Certificate Services, please see our Using Kandji in Enterprise Environments support article.

Kandji uses an AD CS computer certificate template when requesting AD CS certificates within Library Items. For more details, see our AD CS Create a Computer Certificate Template support article.

AD CS Integration Configuration

The AD CS integration is configured from the Kandji Integrations page in your Kandji web app. Once setup is complete, you can manage Kandji AD CS Connector servers, add your AD CS certificate authority (CA) hosts, and create Library Items, all from the AD CS integration page.

Kandji AD CS Connector Installation

The AD CS Connector requires Windows Server 2016 or newer and Microsoft .NET (Core) 8 or later.

The Kandji AD CS Connector is a native Windows .NET client application installed on a Windows Server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to establish a persistent trusted connection with your Kandji tenant automatically, which removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Kandji on an ongoing basis.

Library Item Creation

Kandji can be used to create and distribute AD CS certificate configuration profiles to devices using the following Library Items:

• Certificate Library Item

• Wi-Fi Library Item

• Ethernet Library Item

Strong Certificate Mapping

To support Strong Certificate Mapping (required since Windows Update KB5014754), you need to be using Kandji Connector version 1.0.0.6 and add an ADCS Strong mapping ID uniform resource identifier (URI). In your Library Item's Subject Alternative Name (SAN) section, click Add to create a URI SAN, then enter this exact value: $ADCS_STRONG_MAPPING_ID.

Certificate Request Flow

1. Kandji sends a certificate request to the Kandji AD CS Connector through a WebSocket connection over TCP port 443.

2. The AD CS Connector generates the certificate key pair (public and private keys) locally, then sends the certificate signing request to Microsoft AD CS using DCE/RPC. The keys are only stored on the managed endpoints where they're deployed via Library Items.

3. AD CS processes the request, issues the certificate, and sends the signed certificate back to the AD CS Connector.

4. The AD CS Connector sends back an encrypted .p12 file along with the request ID to Kandji over the WebSocket connection.

5. Kandji delivers the certificate bundle (.p12 file) to the client device through a configuration profile payload.