On Thu, Aug 15, 2019, at 4:20 AM, Sumit Bose wrote:
On Tue, Aug 13, 2019 at 02:05:06PM -0400, James Cassell wrote:
> Good afternoon,
> I'm working on a migration from Centrify to SSSD with Active Directory.
Everything works quite well except for one item. Centrify has a feature to request a
certificate from the AD CA that is automatically granted, given the AD credentials. This
is used for wired 802.1x authentication, among other things.
> Is there a way to get an AD cert via SSSD or related tools such as adcli? (Centrify
calls this command 'adcert'.)
it looks like AD CS with NDES can support SCEP
). Please see
Thanks for the links! I did take a look at those. It looks like certmonger even supports
the same scep protocol, but it seems that it requires a one-time PIN to register, which is
an out-of-band manual process as far as I can tell. Red Hat even has some docs on it:
Seems like it would be convenient to have the one-time challengePassword (as it's
called in the spec) be (derived from) an appropriate kerberos service ticket, (but
that's just conjecture.) Somehow, this "just works" on Windows hosts with
the auto-enrollment AD policy (as also with Centrify on Linux), but I don't know how;
it could be (a variation on) scep for all I know.
Thanks for taking a look!
> > Thanks in advance!
> > V/r,
> > James Cassell