Active Directory Certificate Services (AD CS) Integration: AD CS Connector Installation

By Lisa DeGrace

Learn how to install the Kandji AD CS Connector on a Windows server.

The Kandji AD CS Connector is a native Windows .NET client application installed on a Windows server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to automatically establish a persistent trusted connection with your Kandji tenant. This makes the initial installation and setup very intuitive and, in most environments, removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Kandji on an ongoing basis.

Article Contents

Before You Begin

  • The initial setup of the AD CS integration must be complete in your Kandji Web app.

  • Make sure to have the AD CS Connector installer available. If needed, the installer can be redownloaded from the Connector integration card in Kandji.

  • Access to the Windows server designated as the Kandji AD CS Connector.

  • Access to an administrator account that can be used to log in to the Connector Windows server.

  • Access to a Kandji admin account. This is used to authenticate the Connector and create the connection back to Kandji.
The Connector uses a standard WebSocket connection back to Kandji over TCP 443 and the Microsoft RPC framework to communicate with your AD CS environment. As such, there should be no need to open any ports on the network. However, it is always a good idea to communicate with your network team just to be sure.

AD CS Connector Server Specs

The Connector must be installed on a Windows server (physical or virtual), meeting the following criteria:

  • Windows Server 2016 or newer.

  • The Windows server must be bound to your Active Directory domain.


  1. Transfer the Connector installer file to the Windows server.

  2. To begin the installation process, double-click the installer.

  3. On the Welcome screen, click Next.

  4. On the Connect with the certificate authority screen, leave the credential fields blank; doing so will leverage the Windows computer account to authenticate to AD CS. If you used the AD CS Computer Certificate Template guide, we configured the template to allow the computer account to request certificates. 

  5. On the Ready to install screen, click Install.

    If prompted by User Account Control (UAC), click Yes.

  6. Once the main install is complete, click Finish.

  7. The Microsoft Edge Webview runtime will begin to download and install automatically. Once completed the installer will close on its own. The runtime is required to populate the Kandji login window once the installation is complete.


  1. If the Connector does not launch automatically, go to the Windows Start menu and search for the Kandji AD CS Connector app.

  2. The Connector should be running in the Windows tray in the bottom-right of the screen.
  3. In the Kandji AD CS Connector dialogue, enter your Kandji domain in the Enter Kandji domain field. If your tenant URL is, the domain to enter would be an example.

  4. In the Log in to Kandji screen, enter your Kandji admin credentials. If configured in your Kandji instance, you can also use one of the other sign-in options. 

  5. The Connector should start the initialization process.

  6. Once initialization is complete, you should see that the Connector is Connected.

The Connector app window can now be closed. If you need to open it again, click the Kandji icon in the tray.

Head back to Kandji to assign your CA server to the AD CS Connector in the AD CS integration in Kandji and start building Library Items to deliver AD CS certificates to devices.


The Connector and Edge runtime can be removed by going to Programs & Features on the Windows server.

  1. Go to the Windows Start menu, type Programs & Features, and press Return on the keyboard.

  2. Find the Kandji AD CS Connector and click Uninstall.

  3. Find Microsoft Edge WebView2 Runtime and click Uninstall.

  4. Once the components are uninstalled, open the File Explorer and enter the following path, C:\ProgamData, then hit Enter. Once there, delete the kandji folder.


  • The AD CS Connector app is installed at C:\Program Files\Kandji\ ADCS Connector.
  • Logs, settings, and service files can be found at C:\ProgramData\kandji. This is a hidden directory on the Windows server.

  • The Windows Event Viewer app can be used to see additional logs about the AD CS Connector.
    • Event Viewer > Applications and Services Logs > Kandji 
  • Windows installer logs can be enabled using the Microsoft guide.
For additional questions, please contact support.