Active Directory Certificate Services (AD CS) Integration: AD CS Connector Installation

By Michael Mutch

Learn how to install the Kandji AD CS Connector on a Windows server

The Kandji AD CS Connector is a native Windows .NET client application installed on a Windows server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to automatically establish a persistent trusted connection with your Kandji tenant. This makes the initial installation and setup very intuitive and, in most environments, removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Kandji on an ongoing basis.

Article Contents

Before You Begin

  • Ensure all network requirements have been met.

    • Ensure SSL inspection is disabled for the required network communications between Kandji and the AD CS Connector.

  • The initial setup of the AD CS integration must be complete in your Kandji Web app.

  • Make sure to have the AD CS Connector installer available. If needed, the installer can be redownloaded from the Connector integration card in Kandji.

  • Access to the Windows server designated as the Kandji AD CS Connector.

  • Access to an administrator account that can be used to log in to the Connector Windows server.

  • Access to a Kandji admin account. This is used to authenticate the Connector and create the connection back to Kandji.

The Connector (current version - uses the WebSocket protocol to establish a connection back to Kandji over TCP 443. The Connector also uses the Microsoft RPC (MRPC) framework to communicate with your AD CS environment. As such, there should be no need to open any ports on the network. However, it is always a good idea to communicate with your network team just to be sure.

AD CS Connector Server Specs

The Connector must be installed on a Windows server (physical or virtual), meeting the following criteria:

  • Windows Server 2016 or newer.

  • .NET version 4.7.2

  • Edge WebView2 version 112.0.1722.39 or newer (This ADCS Connector installer includes the required WebView runtime)

  • The AD CS Connector Windows server must be bound to your Active Directory domain.


  1. Transfer the Connector installer file to the Windows server.

  2. To begin the installation process, double-click the installer.

  3. On the Install Kandji AD CS Connector screen, click Start.

  4. On the Authenticate with Certificate Authority screen, you may choose to either leverage a Local System Account or enter Service Account credentials. If you used the AD CS Computer Certificate Template guide, we configured the template to allow the computer account to request certificates. Once you have decided on an account type, click Install.

    wLMwoH0bagdUJwag10BC3tSprvoHFNjvaA XNrKh-49h_apWoz2rhLLN7jvWpNG8lIkzQ

  5. When the UAC prompt appears, click Yes.

  6. Once the Connector installation is complete, click Close.

Note: As of installer version v1.0.0.3, the Microsoft Edge Webview runtime is bundled with the AD CS Connector installer and will silently install in the background.


  1. If the Connector does not launch automatically, go to the Windows Start menu and search for the Kandji AD CS Connector app.

  2. The Connector should be running in the Windows tray in the bottom-right of the Desktop.

  3. In the Kandji AD CS Connector dialogue, enter your Kandji tenant URL in the Enter Kandji domain field. iHNf7dylmNVIi1zBQceIFr9eHklbFMAA5w

  4. In the Log in to Kandji screen, enter your Kandji admin credentials. If configured in your Kandji instance, you can also use one of the other sign-in options.

  5. The Connector should start the initialization process, and once initialization is complete, you should see that the Connector is Connected.


The Connector app window can now be closed. If you need to open it again, click the Kandji icon in the tray.

Head back to Kandji to assign your CA server to the AD CS Connector in the AD CS integration in Kandji and start building Library Items to deliver AD CS certificates to devices.


The Connector and Edge runtime can be removed by going to Programs & Features on the Windows server.

  1. Go to the Windows Start menu, type Programs & Features, and press Return on the keyboard.

  2. Find the Kandji AD CS Connector and click Uninstall.yLCoHKR2G7sCQABUeFbfZtDy5S8dOjLoeg

  3. Find Microsoft Edge WebView2 Runtime and click Uninstall.g8zR-LI0mh_XvwLTUwBTjCzjp7uYhmfeTg

  4. When the uninstallation is complete, click Close.

  5. Find Microsoft Edge WebView2 Runtime and click Uninstall.

  6. Once the components are uninstalled, open the File Explorer and enter the following path, C:\ProgamData, then press Enter. Once there, delete the kandji folder.

  7. Done


  • The AD CS Connector app is installed at C:\Program Files\Kandji\ ADCS Connector.

  • Logs, settings, and service files can be found at C:\ProgramData\kandji. This is a hidden directory on the Windows server.

  • The Windows Event Viewer app can be used to see additional logs about the AD CS Connector.

    • Event Viewer > Applications and Services Logs > Kandji

  • Windows installer logs can be enabled using the Microsoft guide.

For additional questions, please contact support.