Assigning Group/User Access for Each Template
After you have imported the Autoenrollment configuration file into the Autoenrollment Server, you will need to assign access permissions to the imported templates. The required permission for each template is described below. Refer to the DigiCert® Trust Lifecycle Manager | Autoenrollment Server deployment guide sections “About the Preparation of Certificate Templates” and “About the Assignment of Group/User Access to Templates“ for more details on how to configure them.
Certificate Template Name | Target Group or User | Required Access Permission | |||
Domain Controller | Group which has all the Domain Controllers in your domain. By default, Domain Controllers group should include all the domain controllers. | Check Read, Enroll, and Autoenroll. | |||
Microsoft® Enrollment Agent | Group which includes the account user for AD FS, or specify the account directly. If the account is a Service Account, the following operation is required to show the Service Account objects: After clicking Add click Object Types Check Service Accounts | Check Read, and Enroll. Autoenroll is not required. Certificate from this template will be issued to AD FS account user automatically as part of Windows Hello for Business flow. | |||
Windows Hello for Business Authentication | This should be Windows Hello for Business Users group that was created during 5-a. Active Directoryfrom the official Microsoft documentation. The name does not have to exactly match, but needs to be group of users that you are trying to assign Windows Hello authentication to. | Check Read, Enroll, and Autoenroll. |