Windows Desktop MFA - Validate AD CS configuration

Follow the below steps to validate AD CS configuration from one of the domain-joined client machines. This validates successful connection to the Domain Controller and certificate issuance from CA.

Verify Domain Control reachability

  • Navigate to Settings -> Accounts -> Access work or school
  • Copy the domain (for example, idemeum.com)
  • Open the command prompt and execute ping <domain>.                                      
    For example, ping idemeum.com
  • Verify the Domain Controller IP Address the current client system connects to and its successful connectivity via Reply.

Validate Certificate issuance & enrollment

Request New Certificate

  • Click Search -> type user cert -> Click Manage user certificates
  • Navigate to Certificates - Current User -> Right Click on Personal -> All Tasks -> Click Request New Certificate
  • Click Next
  • Click Next
  • Choose Idemeum enrollment agent
💡
Notice Idemeum enrollment agent & Idemeum windows are listed, which indicates certificate templates are configured correctly in AD CS.
If not listed here, please verify the domain controller connectivity and templates configured and issued correctly to CA. Refer to the below screenshot when Certificate Templates cannot be loaded from the Domain controller. It may also be that your installed CA is not allowing the generation of certificate types. This can be checked in the CA configuration.
  • Click Enroll, and STATUS must succeed. This validates successful enrollment. -> Click Finish
  • The certificate request is complete.

Enrolling Certificate to a User

Navigate to Certificates - Current User -> Right Click on Personal -> All Tasks -> Advanced Operations -> Click Enroll On Behalf Of...

  • Click Next
  • Click Next
  • Click Browse
  • Select Enrollment Agent Certificate (default chosen if there is one enrollment certificate) created from the previous step (Request New Certificate)
  • Click OK
  • Next button enabled. Click Next
  • Choose Idemeum windows
  • Type domain user logon name (preferably logged-in domain user) -> Click Enroll
  • Certificate successfully enrolled to the User
Validation Complete

Clean up

Once the above validation is complete, we can clean up the certs.

  • Choose the two certs created -> Click Delete icon -> Click Yes