Skip to main content
Version: 10.7.1

AD CS setup for Single Registration

To enroll certificates in behalf of another user, an Enrollment Agent certificate must be present on the Windows server where the HYPR Enrollment Service is running. In addition, a User template must be defined to allow user certificates can be issued.

Configure Active Directory Certificate Services (AD CS)

Just One Example

Screenshots below were taken using Active Directory 2008. Your AD may have a different user interface if you're on a newer version.

To enroll certificates on behalf of another user, an Enrollment Agent certificate must be present on the Windows server where the HYPR Certificate Enrollment Service is running. In addition, a user template must be defined to allow user certificates to be issued.

The following instructions occur in the Microsoft Management Console Certificate Templates snap-in.

Domain Administrator

DA privileges are required to create, configure, and deploy certificate templates.

Create the HYPR Enrollment Agent Template

  1. Right-click the Enrollment Agent (Computer) template and choose the** All Tasks → Duplicate Template** menu option.

  2. Name the new template HYPR Enrollment Agent.

  3. Select the Security tab to display the current access control list for the template.

  4. To tighten the access controls on the template, click Add… and add an entry for the computer where the HYPR Enrollment Service will be running.





  5. Check the Allow column's box next to Enroll, then click Apply to save the template.

Create the HYPR Enrollment User Template

  1. Duplicate an existing template (see Creating a Custom Certificate Template) and name it HYPR Enrollment User. This is the template that will be used to issue user certificates.

  2. Select the Issuance Requirements tab.

  3. Check This number of authorized signatures and give it a value of 1.

  4. Set the Application Policy to Certificate Request Agent.

  5. Click Apply to save the template.

Grant System Account Permissions

  1. Right-click the server name and choose Properties.

  2. On the Server Properties dialog, select the Security tab.

  3. Select the server's computer account. Under the Allow column, check the box for Issue and Manage Certificates, then click OK.

  4. On the Server Properties dialog, select the Certificate Managers tab. In the Certificate Managers pane, select the computer account you added in the previous step.

  5. In the Certificate Templates pane, click Add... and choose the HYPR Enrollment User template. Click OK.

Enable the Templates

  1. Right-click and select the New → Certificate Template to Issue menu option.

  2. Select the HYPR Enrollment Agent and HYPR Enrollment User templates from the list.

  3. Click OK to publish the certificate templates for use.

Deploy the HYPR Enrollment Agent Template

  1. On the Windows server where the HYPR Enrollment Service is running, log in as a Domain user. Deploy the Enrollment Agent certificate to the Local Machine certificate store. Run certlm.msc.

  2. Right-click Personal and choose Certificates.

  3. Right-click Certificates and choose All Tasks → Request New Certificate.

  4. Continue to click Next until the following dialog is displayed.

  5. Choose the HYPR Enrollment Template and click Enroll to deploy the Enrollment Agent certificate to the Windows server.

Configuring Active Directory (AD) Users

Before a user can start the web registration flow, their AD user account must be configured as follows:

  1. In the management console, click Start.

  2. Navigate to Active Directory Users and Computers.

  3. In the top menu, click View -> Advanced Features.

  4. Select the user that you will invite to register.

  5. Under the General tab, enter the user's email address into the E-mail field.

  6. Click the Attribute Editor.

  7. Scroll down, click the mail attribute, and enter the user's email address.

Conditional Enrollment for Single Registration

Organizations typically have different user groups that might require access to various resources. The registration requirements may then be tied to the resources those users want to access. When HYPR is configured for a Single Registration experience, administrators can decide whether a given user is expected to have a computer account created during enrollment. This provides the flexibility to have web-only registrations without requiring complex setups.

In order to choose the type of accounts a user should get during registration, follow the next steps:

  1. Acces the Magic Links page to onboard new users (see Registering Users with a Magic Link).

  2. If you want to skip the creation of a Computer account during the user's registration, toggle the Skip workstation registration option.