Skip to main content

Certificate-based Device Registration on macOS

When a macOS computer is joined with a Windows domain and the certificate-based authentication is enabled in the HYPR Passwordless configuration, the certificate used during the registration process must be generated by the Certificate Authority (CA) service running on one of the computers supporting the domain.

In a correctly configured domain, all the information can be retrieved automatically; on some systems, it may need to be manually specified.

Requirements

  • Certificate-based authentication must be enabled in the configuration file for HYPR Passwordless for macOS

  • The user requesting device registration is authenticated by an Active Directory (AD) server running Windows Server, and has been converted into a mobile user on the local macOS workstation

Info You'll Need

  • The CA name

  • The CA server address

  • The Certificate Template name for user certificate generation

CA Name

The symbolic name of the CA can be placed by the user in the HyprOneService.plist configuration file:

<key>CertificateAuthority</key>
<string>MY-WINDOWS-SERVER-DOMAIN-CA</string>

The configuration option accepts multiple CA names, separated by commas.

If not specified, these are read from the Open Directory:

$ dscl localhost -list "/Active Directory/&lt;YOUR DOMAIN NAME&gt;/All Domains/CertificateAuthorities"
MY-WINDOWS-SERVER-DOMAIN-CA

If this query returns an empty result, it is discovered by running the ldapsearch command.

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base configurationNamingContext
configurationNamingContext: CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Configuration,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(objectClass=certificationAuthority)" cn
cn: MY-WINDOWS-SERVER-DOMAIN-CA

In case the LDAP query or the configuration property return more than one result, all the values are tested against the server set retrieved in the next section.

CA Server Address

Addresses can be placed in the HyprOneService.plist configuration file:

<key>CertificatePublishers</key>
<string>DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM,DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM</string>

If not specified, HYPR Passwordless looks first in Open Directory, where it collects the computer names in the Cert Publisher group. To preview which servers are found there, run the following:

$ dscl localhost -read "/Active Directory/&lt;YOUR DOMAIN NAME&gt;/All Domains/Groups/Cert Publishers” member

dsAttrTypeNative:member: 
 CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com 
 CN=DOMAINSERVER2,OU=Domain Controllers,DC=domain,DC=suffix,DC=com
 
$ dscl localhost -search "/Active Directory/&lt;YOUR DOMAIN NAME&gt;/All Domains/Computers/" distinguishedName "CN=DOMAINSERVER1,OU=Domain Controllers,DC=domain,DC=suffix,DC=com"
dsAttryTypeNative:DNSHostName:
 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM

If dscl doesn’t find any entry, HYPR Passwordless searches the LDAP servers using ldapsearch:

ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -s base rootDomainNamingContext
rootDomainNamingContext: CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(cn=Cert Publishers)" dn
dn: CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com

$ ldapsearch -LLL -N -H ldap://DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM -b CN=Users,DC=FULL,DC=COMPANY,DC=ADDRESS,DC=com "(memberOf=CN=Cert Publishers,OU=Groups,DC=domain,DC=suffix,DC=com)" dNSHostName
dNSHostName: DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM
dNSHostName: DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM

If no servers are found, HYPR Passwordless looks in the DNS records, where it collects all the servers registered as handling the LDAP service:

$ nslookup -query=srv \_ldap.\_tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM
Server:		xx.xx.xx.xx
Address:	xx.xx.xx.xx#xx

Non-authoritative answer:

\_ldap.\_tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER3.FULL.COMPANY.ADDRESS.COM.
\_ldap.\_tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER1.FULL.COMPANY.ADDRESS.COM.
\_ldap.\_tcp.dc._msdcs.FULL.COMPANY.ADDRESS.COM	service = 0 100 389 DOMAINSERVER2.FULL.COMPANY.ADDRESS.COM.

Certificate Template Name

Windows Server comes with a predefined certificate template called SmartcardUser that is suitable for the generation of certificates macOS can use to authenticate a domain user. If you have a dedicated template that you prefer to use for the authentication of HYPR Passwordless users, you can specify it in the configuration file:

<key>CertificateTemplate</key>
<string>HYPRTemplate</string>

The template should have the following characteristics:

  • A public key encrypted using RSA with at least 2048 bits

  • Extension flags for Digital Signature and Key Encipherment

  • Extended key usage options for E-mail Protection, Client Authorization, and SmartCard Login