Active Directory Integration with Symantec Security Information Manager 4.7 using a Domain Controller Certificate
Last Updated May 29, 2012
This article describes how to configure Active Directory Intgration in Symantec Security InformationManager (SSIM) 4.7 using a Domain Controller Certificate.
Step 1: Creating the Domain Controller Certificate
On the Domain Controller on the Start Menu, click Run, type mmc, and then click OK .
In the Console in the menu Click on File, and then click on Add/Remove Snap-in....
In the Available Snap-Ins select the Certificates and click on Add.
When adding the Snap-in it will ask which certificates will be managed.
Select Computer Account, click Next and select Local Computer and click Finish.
Then in the Add or Remove Snap-ins menu click OK.
In the Console expand Persnal and right click on Certificates, and select All Tasks -> Request New Certificate ...
In The Certificate Enrollment window that opens click Next.
On the Request Certificates page select the certifcate to request from the Enterprise CA.
There might be differnt certificates available that the Domain Controller can enroll for, depending on what Certificate Templates are available on the Enterprise CA,
For the Active Directory Integration either select the Domain Controller or Domain Controller Authentication certificate and click Enroll.
Afterwards there should be the certficate present in the Certificates folder that has been issued by the Enterprise CA.
When selecting the Domain Controller Authentication certificate changes to the default template on the Enterprise CA must be made.
By default the Domain Controller Authentication will create a certificate without a Subject line. In this case the Test Connection in the SSIM Web-UI will fail and the Active Directory Integration can't be completed.
This is a known issue and is being reviewed by the SSIM engineering group and might change in future versions.
Follow the below steps to make the necessary changes to the default Domain Controller Authentication template.
In a MMC Console add the Snap-In for the Certificate Templates.
In the Console expand the Certifcate Templates, then right click on the template Domain Controller Authentication and select Properties.
In the menu that opens go to the Subject Name and in the drop down for the Subject name format select Common Name.
Click Apply and close the Properties window.
After the change has been applied, the Subject line will contain the Common Name of the Domain Controller when enrolling for a Domain Controller Authentication certificate.
Step 2: Exporting the CA certficate of the Enterprise CA
On the Enterprise CA use the Certificates Snap-in to export the CA certificate.
In the Certificates folder of the Enterprise CA you should find the CA certificate.
Right Click on the certificate and go to All Tasks->Export...
Export the certificate using the DER encoded binary x.509 format.
Step 3: Importing the CA certificate into SSIM
Login to the SSIM Web-UI and go to Settings->Certificate
In the menu on the left click on Add CA Root
Select the file with the exported CA certficate, specify a Key Label and click on Add
This will reboot the SSIM appliance
Step 4: Creating Active Directory Configuration in SSIM
Login to SSIM Web-UI and go to Settings->Active Directory
Click on Create Configuration and fill in the fields for the Active Directory Information and click on Test Connection
Make sure that the hostname of the Domain Controller can be resolved by the SSIM appliance.
When the Test Connection is successful you are ready to create your Active Directory configuration by supplying the rest of the information and clicking on Save
In this example a Windows 2008 environment is used, but the same applies also to an environment running 2003.
Windows 2008 Domain Controller with Active Directory Domain Services and Active Directory Certificate Services.
The Role Active Directory Certicate Sevice is installed as a Enterprise Root CA. This role doesn't have to be installed on the the Domain Controller, but can also be installed on any other Server within the Active Directory domain.
For more information on how to setup a Public Key Infrastracture (PKI) it is recommende to review the Microsoft documentation on Active Directory Certificate Services.