I have an NPS rule that permits only members of a windows global security group to join WiFi using 802.1x.
Domain joined machines connect fine.
I wanted to issue (and manually distribute) certificates to machines that were not domain joined to allow them to connect but am unable to generate a computer certificate that passes the test.
I can (only) enrol on behalf of users and user based cert authentication also works.
To have the machine auto join I assume I require a machine cert.
Log Example
I can generate a client certificate but it fails as it identifies differently:
Successful client...
User:
Security ID:CONTOSO\CONTOSOWIFIPC$
Account Name:host/CONTOSOWIFIPC.CONTOSO.com
Account Domain:CONTOSO
Fully Qualified Account Name:CONTOSO\CONTOSOWIFIPC$
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:00-11-22-33-44-55:CONTOSO_Portables
Calling Station Identifier:99-88-77-66-55-44
Unsuccessful client...
User:
Security ID:NULL SID
Account Name:host/CONTOSOWIFIPC.CONTOSO.com
Account Domain:CONTOSO
Fully Qualified Account Name:CONTOSO\host/CONTOSOWIFIPC.CONTOSO.com
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:00-11-22-33-44-55:CONTOSO_Portables
Calling Station Identifier:99-88-77-66-55-44
I duplicated Workstation and Computer CA templates for client auth but if I manually specify the host name I get the Unsuccessful log above (no SID association). If I generate name using AD (with SID association) I can only use the name of the workstation/server at which the cert is generated.
Enrol On Behalf of
User Enrol On Behalf Of won't permit computer accounts.
No option for Enrol On Behalf Of for computer/machine Cert MMC. (I managed to find how to generate a computer cert using the option https://docs.vmware.com/en/VMware-AirWatch/9.3/vmware-airwatch-guides-93/GUID-AW93-SetRestrEnrolAgentSignCA.html but that still only specifies the local machine I used if I build from Ad - I never get prompted to Browse for an account)
Workaround
In the end I used an actual windows client to create an exportable cert and now import that one cert onto the wifi systems and that works.
Question
Is it possible to stage (manually create) computer accounts (that are members of a security group) in AD and get exportable certs for them that I can carry to clients (that might be named differently than the cert I want to give them e.g. client called MYSURFACE but I want it to auth to WiFi as STAFFMEMBER01.Contoso.com? Or am I on a wild goose chase...