Hi Everyone,

I'm in the process of configuring a Mobile Device Management PoC for our business.

The tool in question is a cloud based service, which needs to be able to request and issue certificates.

My question is what level of rights do I need to give the service account in question in order to make sure the SaaS service is capable of completing the request and issue certificate tasks?

Further info:

1 forest with 3 child domains. Users and computers reside within one of the 3 child domains. PKI infra resides within the forest root domain. Root CA is offline, with 3 x subordinate root CA's (one within each region for the business)

Thanks in advance.

Simon 

Hi Simon,

For this to work, your SaaS solution is going to have to be able to provide Windows credentials to the issuing intermediate certificate servers. Outside of that requirement, what you're asking about is easily implemented.

Assuming the SaaS solution can present Windows credentials and talk to the Microsoft AD CS infrastructure then I'd be inclined to create a standard (i.e. non-privileged) domain user account and assign that account Enroll and Read rights to each certificate template you expect the SaaS solution to issue, i.e. something like the Computer or Workstation templates (or a custom template if you wanted to set one up from scratch).

You might also want to look into NDES and SCEP as outlined here (TechNet article). This is a more complex topic that I don't have time to outline here but as they're a standards-based implementation, you might find this is what you SaaS vendor expects you to utilise rather than direct integration.

Cheers,
Lain

• Edited by Lain Robertson 1 hour 26 minutes ago Correction.