Troubleshooting Certificate-based Registration of a Device with macOS WFA

 

Product: macOS Workforce Access

Applicable Version(s): 6.15+

When a macOS computer is joined with a Windows domain and the certificate-based authentication is enabled in the Workforce Access (WFA) configuration, the certificate used during the registration process must be generated by the Certificate Authority (CA) service running on one of the computers supporting the domain.

In a correctly configured domain, all the information can be retrieved automatically; on some systems, it may need to be manually specified.

Requirements

  • Certificate-based authentication must be enabled in the configuration file for the macOS WFA

  • The user requesting device registration is authenticated by an Active Directory (AD) server running Windows Server, and has been converted into a mobile user on the local macOS workstation

Info You'll Need

  • The CA name

  • The CA server address

  • The Certificate Template name for user certificate generation

CA Name

The symbolic name of the CA can be placed by the user in the HyprOneService.plist configuration file:

<dict>
...
    <key>CertificateAuthority</key>
    <string>MY-WINDOWS-SERVER-DOMAIN-CA<string>
...

Starting with version 7.0.0 the configuration option accepts multiple CA names, separated by commas.

If it’s not specified, it is read from the Open Directory:

$ dscl localhost -list "/Active Directory/<YOUR DOMAIN NAME>/All Domains/CertificateAuthorities"
MY-WINDOWS-SERVER-DOMAIN-CA

If this query returns an empty result, starting with version 6.19.0, it is discovered by running the ldapsearch command.

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base configurationNamingContext
configurationNamingContext: CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(objectClass=certificationAuthority)" cn
cn: MY-WINDOWS-SERVER-DOMAIN-CA

In case the LDAP query or the configuration property return more than one result, starting with version 6.16.0 all the values are tested against the server set retrieved in the next section.

CA Server Address

Starting with WFA 6.19.0, addresses can be placed in the HyprOneService.plist configuration file:

<dict>
...
    <key>CertificatePublishers</key>
    <string>DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM,DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM</string>
...

If not specified, WFA looks first in Open Directory, where it collects the computer names in the “Cert Publisher” group
To preview which servers are found there, run the following:

$ dscl localhost -read "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Groups/Cert Publishers” member

dsAttrTypeNative:member: 
 CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com 
 CN=DOMAINSERVER2,OU=Domain Controllers,DC=domain,DC=suffix,DC=com
 
$ dscl localhost -search "/Active Directory/<YOUR DOMAIN NAME>/All Domains/Computers/" distinguishedName "CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com"
dsAttryTypeNative:DNSHostName:
 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM

If dscl doesn’t find any entry, starting with version 6.19.0 WFA searches the LDAP servers using ldapsearch:

ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base rootDomainNamingContext
rootDomainNamingContext: CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(cn=Cert Publishers)" dn
dn: CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(memberOf=CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com)" dNSHostName
dNSHostName: DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM

If no servers are found, WFA looks in the DNS records, where it collects all the servers registered as handling the LDAP service:

$ nslookup -query=srv _ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM
Server:		xx.xx.xx.xx
Address:	xx.xx.xx.xx#xx

Non-authoritative answer:
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM.
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM.
_ldap._tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM.

Certificate Template Name

Windows Server comes with a predefined certificate template called SmartcardUser that is suitable for the generation of certificates that macOS can use to authenticate a domain user. If you have a dedicated template that you prefer to use for the authentication of WFA users, you can specify it in the configuration file:

<dict>
...
    <key>CertificateTemplate</key>
    <string>HYPRTemplate<string>
...

The template should have the following characteristics:

  • A public key encrypted using RSA with at least 2048 bits

  • Extension flags for Digital Signature and Key Encipherment

  • Extended key usage options for E-mail Protection, Client Authorization, and SmartCard Login




Version Date Comment
Current Version (v. 5) April 25, 2023 8:54 Nilesh Doiphode
v. 4 June 15, 2022 11:58 A. Khedron de León
v. 3 May 16, 2022 11:10 Alberto Massari
v. 2 Dec 16, 2021 16:22 Alberto Massari
v. 1 Oct 19, 2021 14:11 Alberto Massari
Was this article helpful?
0 out of 0 found this helpful