Troubleshooting Certificate-based Registration of a Device with HYPR Passwordless for macOS

 

Product: HYPR Passwordless for macOS

Applicable Version(s): 6.15+

When a macOS computer is joined with a Windows domain and the certificate-based authentication is enabled in the HYPR Passwordless configuration, the certificate used during the registration process must be generated by the Certificate Authority (CA) service running on one of the computers supporting the domain.

In a correctly configured domain, all the information can be retrieved automatically; on some systems, it may need to be manually specified.

Requirements

  • Certificate-based authentication must be enabled in the configuration file for HYPR Passwordless for macOS

  • The user requesting device registration is authenticated by an Active Directory (AD) server running Windows Server, and has been converted into a mobile user on the local macOS workstation

Info You'll Need

  • The CA name

  • The CA server address

  • The Certificate Template name for user certificate generation

CA Name

The symbolic name of the CA can be placed by the user in the HyprOneService.plist configuration file:

<dict>
...
    <key>CertificateAuthority</key>
    <string>MY-WINDOWS-SERVER-DOMAIN-CA<string>
...

Starting with version 7.0.0 the configuration option accepts multiple CA names, separated by commas.

If it’s not specified, it is read from the Open Directory:

$ dscl localhost -list "/Active Directory/<YOUR DOMAIN NAME>/All Domains/CertificateAuthorities"
MY-WINDOWS-SERVER-DOMAIN-CA

Starting with version 6.19.0, if this query returns an empty result it is discovered by running the ldapsearch command.

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base configurationNamingContext
configurationNamingContext: CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(objectClass=certificationAuthority)" cn
cn: MY-WINDOWS-SERVER-DOMAIN-CA

Starting with version 6.16.0, in case the LDAP query or the configuration property return more than one result, all the values are tested against the server set retrieved in the next section.

CA Server Address

Starting with HYPR Passwordless 6.19.0, addresses can be placed in the HyprOneService.plist configuration file:

<dict>
...
    <key>CertificatePublishers</key>
    <string>DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM,DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM</string>
...

If not specified, HYPR Passwordless looks first in Open Directory, where it collects the computer names in the Cert Publisher group.
To preview which servers are found there, run the following:

$ dscl localhost -read "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Groups/Cert Publishers” member

dsAttrTypeNative:member: 
 CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com 
 CN=DOMAINSERVER2,OU=Domain Controllers,DC=domain,DC=suffix,DC=com
 
$ dscl localhost -search "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Computers/" distinguishedName "CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com"
dsAttryTypeNative:DNSHostName:
 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM

Starting with version 6.19.0, if dscl doesn’t find any entry, HYPR Passwordless searches the LDAP servers using ldapsearch:

ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base rootDomainNamingContext
rootDomainNamingContext: CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(cn=Cert Publishers)" dn
dn: CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(memberOf=CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com)" dNSHostName
dNSHostName: DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM

If no servers are found, HYPR Passwordless looks in the DNS records, where it collects all the servers registered as handling the LDAP service:

$ nslookup -query=srv _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM
Server:		xx.xx.xx.xx
Address:	xx.xx.xx.xx#xx

Non-authoritative answer:
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM.
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM.
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM.

Certificate Template Name

Windows Server comes with a predefined certificate template called SmartcardUser that is suitable for the generation of certificates macOS can use to authenticate a domain user. If you have a dedicated template that you prefer to use for the authentication of HYPR Passwordless users, you can specify it in the configuration file:

<dict>
...
    <key>CertificateTemplate</key>
    <string>HYPRTemplate<string>
...

The template should have the following characteristics:

  • A public key encrypted using RSA with at least 2048 bits

  • Extension flags for Digital Signature and Key Encipherment

  • Extended key usage options for E-mail Protection, Client Authorization, and SmartCard Login




Version Date Comment
Current Version (v. 6) Nov 6, 2023: 16:44 A. Khedron de León
v. 5 April 25, 2023 8:54 Nilesh Doiphode
v. 4 June 15, 2022 11:58 A. Khedron de León
v. 3 May 16, 2022 11:10 Alberto Massari
v. 2 Dec 16, 2021 16:22 Alberto Massari
v. 1 Oct 19, 2021 14:11 Alberto Massari
Was this article helpful?
4 out of 5 found this helpful