Product: macOS Workforce Access
Applicable Version(s): 6.15+
When a macOS computer is joined with a Windows domain and the certificate-based authentication is enabled in the Workforce Access (WFA) configuration, the certificate used during the registration process must be generated by the Certificate Authority (CA) service running on one of the computers supporting the domain.
In a correctly configured domain, all the information can be retrieved automatically; on some systems, it may need to be manually specified.
Requirements
-
Certificate-based authentication must be enabled in the configuration file for the macOS WFA
-
The user requesting device registration is authenticated by an Active Directory (AD) server running Windows Server, and has been converted into a mobile user on the local macOS workstation
Info You'll Need
-
The CA name
-
The CA server address
-
The Certificate Template name for user certificate generation
CA Name
The symbolic name of the CA can be placed by the user in the HyprOneService.plist
configuration file:
<dict> ... <key>CertificateAuthority</key> <string>MY-WINDOWS-SERVER-DOMAIN-CA<string> ...
Starting with version 7.0.0 the configuration option accepts multiple CA names, separated by commas.
If it’s not specified, it is read from the Open Directory:
$ dscl localhost -list "/Active Directory/<YOUR DOMAIN NAME>/All Domains/CertificateAuthorities" MY-WINDOWS-SERVER-DOMAIN-CA
If this query returns an empty result, starting with version 6.19.0, it is discovered by running the ldapsearch
command.
$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base configurationNamingContext configurationNamingContext: CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com $ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(objectClass=certificationAuthority)" cn cn: MY-WINDOWS-SERVER-DOMAIN-CA
In case the LDAP query or the configuration property return more than one result, starting with version 6.16.0 all the values are tested against the server set retrieved in the next section.
CA Server Address
Starting with WFA 6.19.0, addresses can be placed in the HyprOneService.plist
configuration file:
<dict> ... <key>CertificatePublishers</key> <string>DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM,DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM</string> ...
If not specified, WFA looks first in Open Directory, where it collects the computer names in the “Cert Publisher” group
To preview which servers are found there, run the following:
$ dscl localhost -read "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Groups/Cert Publishers” member dsAttrTypeNative:member: CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com CN=DOMAINSERVER2,OU=Domain Controllers,DC=domain,DC=suffix,DC=com $ dscl localhost -search "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Computers/" distinguishedName "CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com" dsAttryTypeNative:DNSHostName: DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM
If dscl
doesn’t find any entry, starting with version 6.19.0 WFA searches the LDAP servers using ldapsearch
:
ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base rootDomainNamingContext rootDomainNamingContext: CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com $ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(cn=Cert Publishers)" dn dn: CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com $ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(memberOf=CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com)" dNSHostName dNSHostName: DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM dNSHostName: DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM dNSHostName: DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM
If no servers are found, WFA looks in the DNS records, where it collects all the servers registered as handling the LDAP service:
$ nslookup -query=srv _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM Server: xx.xx.xx.xx Address: xx.xx.xx.xx#xx Non-authoritative answer: _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM service = 0 100 389 DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM. _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM service = 0 100 389 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM. _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM service = 0 100 389 DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM.
Certificate Template Name
Windows Server comes with a predefined certificate template called SmartcardUser that is suitable for the generation of certificates that macOS can use to authenticate a domain user. If you have a dedicated template that you prefer to use for the authentication of WFA users, you can specify it in the configuration file:
<dict> ... <key>CertificateTemplate</key> <string>HYPRTemplate<string> ...
The template should have the following characteristics:
-
A public key encrypted using RSA with at least 2048 bits
-
Extension flags for Digital Signature and Key Encipherment
-
Extended key usage options for E-mail Protection, Client Authorization, and SmartCard Login
Version | Date | Comment |
---|---|---|
Current Version (v. 5) | April 25, 2023 8:54 | Nilesh Doiphode |
v. 4 | June 15, 2022 11:58 | A. Khedron de León |
v. 3 | May 16, 2022 11:10 | Alberto Massari |
v. 2 | Dec 16, 2021 16:22 | Alberto Massari |
v. 1 | Oct 19, 2021 14:11 | Alberto Massari |