Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Enroll on behalf of in WinEP

Owned by Ann Base (Deactivated)
Last updated: Nov 13, 2023 by Josefin Klang (Deactivated)
1 min read

This article is valid for CM 8.5 and later.

This article describes Enroll on behalf of (EOBO) inĀ Nexus Windows Enrollment Proxy - WinEP.

  • To activate support for Enroll on behalf of (EOBO) you must create an enrollment agent softtoken (P12) containing the extended key usage Certificate Request Agent.

  • The created enrollment agent softtoken must be made available to the enrollment agent performing the enrollment request.

  • The enrollment agent certificate(s) must be configured for each handler in winep.properties in the Protocol Gateway instance that WinEP is connected to.

  • For each Protocol Gateway handler that should support EOBO, the configuration parameter handler.x.enrollmentAgent.certs.x is required. See "Example configuration EOBO".

Configuration

You can restrict the enrollment agent to only be able to issue certificates for target users that are a part of or not a part of specific groups.

  • Use the configuration parameters enrollmentAgent.allowedGroups and enrollmentAgent.blockedGroups in the Protocol Gateway winep.properties file. See "Example configuration EOBO".



This is an example configuration for EOBO on the User template in winep.properties:

Example: Configure Enroll on behalf of
handler.0.filter = User handler.0.format = winep-user handler.0.tokenprocedure = WinEP Token Procedure handler.0.enrollmentAgent.certs.1 = winep-enrollment-agent.cer handler.0.enrollmentAgent.allowedGroups = Employee, Managers handler.0.enrollmentAgent.blockedGroups = Administrators, IT





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions