Skip to main content

Assigning Group/User Access for Each Template

After you have imported the Autoenrollment configuration file into the Autoenrollment Server, you will need to assign access permissions to the imported templates. The required permission for each template is described below. Refer to the DigiCert® Trust Lifecycle Manager | Autoenrollment Server deployment guide sections “About the Preparation of Certificate Templates” and “About the Assignment of Group/User Access to Templates“ for more details on how to configure them.Enterprise PKI Autoenrollment Server (クライアントレス)ガイド

Certificate Template Name

Target Group or User

Required Access Permission

Domain Controller

Group which has all the Domain Controllers in your domain.

By default, Domain Controllers group should include all the domain controllers.

Check Read, Enroll, and Autoenroll.

image6.jpeg

Microsoft® Enrollment Agent

Group which includes the account user for AD FS, or specify the account directly.

If the account is a Service Account, the following operation is required to show the Service Account objects:

After clicking Add click Object Types

image7.jpeg

Check Service Accounts

image8.jpeg

Check Read, and EnrollAutoenroll is not required. Certificate from this template will be issued to AD FS account user automatically as part of Windows Hello for Business flow.

image9.jpeg

Windows Hello for Business Authentication

This should be Windows Hello for Business Users group that was created during 5-a. Active Directoryfrom the official Microsoft documentation. The name does not have to exactly match, but needs to be group of users that you are trying to assign Windows Hello authentication to.

Check Read, Enroll, and Autoenroll.

image10.jpeg