Active Directory Certificate Services (AD CS) Integration: AD CS Connector Installation

By Trevor Gerzen

Learn how to install the Kandji AD CS Connector on a Windows server

Current Connector Version: 1.0.0.4

The Kandji AD CS Connector is a native Windows .NET client application installed on a Windows server (2016 or newer) residing on your local network. The AD CS Connector leverages the WebSocket protocol over TCP port 443 to automatically establish a persistent trusted connection with your Kandji tenant. This makes the initial installation and setup very intuitive and, in most environments, removes the need to open specific ports. The AD CS Connector uses the Microsoft Remote Procedure Call framework to communicate with your local AD CS environment. Once installed, the AD CS Connector will be able to receive and facilitate certificate requests from and to Kandji on an ongoing basis.

Before You Begin

  • Ensure all network requirements have been met.
    • Ensure SSL inspection is disabled for the required network communications between Kandji and the AD CS Connector.
  • The initial setup of the AD CS integration must be complete in your Kandji Web app.
  • Make sure the AD CS Connector installer is available. If needed, it can be redownloaded from the Connector integration card in Kandji.
  • Access to the Windows server designated as the Kandji AD CS Connector.
  • Access to an administrator account that can be used to log in to the Connector Windows server.
  • Access to a Kandji admin account. This is used to authenticate the Connector and create the connection back to Kandji.

AD CS Connector Server Specs

The Connector must be installed on a Windows server (physical or virtual), meeting the following criteria:

  • Windows Server 2016 or newer.
  • .NET version 4.7.2 or newer.
  • Edge WebView2 version 112.0.1722.39 or newer (This ADCS Connector installer includes the required WebView runtime).
  • The AD CS Connector Windows server must be bound to your Active Directory domain.

Installation

  1. Transfer the Connector installer file to the Windows server.
  2. To begin the installation process, double-click the installer.
  3. On the Install Kandji AD CS Connector screen, click Start.
  4. On the Authenticate with Certificate Authority screen, you may choose to either leverage a Local System Account or enter Service Account credentials. If you used the AD CS Computer Certificate Template guide, we configured the template to allow the computer account to request certificates. Once you have decided on an account type, click Install.


  5. When the UAC prompt appears, click Yes.

  6. Once the Connector installation is complete, click Close.

As of installer version v1.0.0.4, the Microsoft Edge Webview2 runtime is bundled with the AD CS Connector installer and will silently install in the background. If needed, the runtime can be downloaded from Microsoft and installed manually on the AD CS Connector Windows Server. 

Initialization

  1. If the Connector does not launch automatically, go to the Windows Start menu and search for the Kandji AD CS Connector app.
  2. The Connector should be running in the Windows tray in the bottom-right corner of the desktop.
  3. In the Kandji AD CS Connector dialogue, enter your Kandji tenant URL in the Enter Kandji domain field.

  4. In the Log in to Kandji screen, enter your Kandji admin credentials. If configured in your Kandji tenant, you can also use one of the other sign-in options.

  5. The Connector should start the initialization process, and once initialization is complete, you should see that the Connector is Connected.

  6. The Connector app window can now be closed. If you need to open it again, click the Kandji icon in the tray.

Head back to Kandji to assign your CA server to the AD CS Connector in the AD CS integration and start adding Library Items to deliver AD CS certificates to devices.

Updating

Use the steps below when updating to the next version of the AD CS Connector.

  1. Transfer the Connector installer file to the Windows server.
  2. To begin the update process, double-click the installer.
  3. On the Install Kandji AD CS Connector window, click Start.
  4. Choose the type of account to use when connecting to your AD CS infrastructure. Then, click Install.
  5. When the UAC prompt appears, click Yes.
  6. When the Uninstall Kandji AD CS Connector window appears (the previous version needs to be uninstalled), click Uninstall. This will uninstall the previous version of the AD CS Connector.
  7. On the Success Uninstall window, click Close.
  8. On the Success! The Kandji AD CS Connector has been installed window, click Close.

    If you would like to verify that the latest version has been installed, you can check this by going to Start menu > Control Panel > Programs & Features. You should see the latest Connector version listed.

  9. If needed, you may have to enter your Kandji tenant domain in the agent menu app and go through the authentication steps.

  10. The Connector should now show Connected.

Uninstallation

The Connector and Edge runtime can be removed by going to Programs & Features on the Windows server.

  1. Go to the Windows Start menu, type Programs & Features, and press Return on the keyboard.
  2. Find the Kandji AD CS Connector and click Uninstall.

  3. When the Uninstall Kandji AD CS Connector window appears, click Uninstall.

  4. When the uninstallation is complete, click Close.

  5. Find Microsoft Edge WebView2 Runtime and click Uninstall.

  6. Once the components are uninstalled, open the File Explorer and enter the following path, C:\ProgamData, then press Enter. Once there, delete the kandji folder.

  7. Done

Troubleshooting

  • The AD CS Connector app is installed at C:\Program Files\Kandji\ADCS Connector.
  • Logs, settings, and service files can be found at C:\ProgramData\kandji. This is a hidden directory on the Windows server.
  • The Windows Event Viewer app can be used to see additional logs about the AD CS Connector.
    • Event Viewer > Applications and Services Logs > Kandji
  • Windows installer logs can be enabled using the Microsoft guide.
  • The Connector service is called Kandji AD CS Connector Servicestart. The service should start automatically but can also be started in the Windows Services application if needed.
  • In Task Manager, the Connector process is called adcs-connector-app. If, for some reason, the webview login does not display in the Connector after entering the Kandji tenant domain, ending the Connector process and then launching the app again from the Windows start menu can help to clear this up.

For additional questions, please contact support.