Strata Copilot
    Next-Gen Trust Security
    : Setting Microsoft AD CS permissions
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security overview
    5. Overview: certificate issuance
    6. Adding a certificate authority
    7. Add Microsoft AD CS
    8. Setting Microsoft AD CS permissions

    Next-Gen Trust Security

    Setting Microsoft AD CS permissions

    Table of Contents

    Setting Microsoft AD CS permissions

    Next-Gen Trust Security can manage certificates issued by Microsoft Active Directory Service (AD CS) if you configure AD CS to connect to Next-Gen Trust Security.
    When setting up AD CS with Next-Gen Trust Security, it is essential to use the appropriate Service Account or User Account with the necessary permissions to ensure a smooth and secure connection.
    This topic walks you through how to set up your Microsoft AD CS account so that it can integrate with Next-Gen Trust Security. Go through these steps prior to setting up the AD CS certificate authority in Next-Gen Trust Security.

    Service Account Requirements

    To connect Microsoft AD CS to Next-Gen Trust Security, you must use a Service Account with the following permissions:
    • Read - Necessary for the Service Account to access CA configuration and certificate information, ensuring it can perform its duties correctly.
    • Log on as a service - Required because the certificate service (VSatellite Worker, which is the bridge that allows VSatellite to interact with AD CS) runs as a background service. Without this right, the Service Account cannot start the service, leading to failures in certificate issuance and management.
    • Issue and Manage Certificates - Allows the Service Account to issue, revoke, and manage certificates, which is essential for maintaining the CA and its operations.
    • Request Certificates - Allows the Service Account to request new certificates, a fundamental function in certificate management.

    Set AD CS permissions

    Following these steps will allow Next-Gen Trust Security to enroll certificates for any template that does not require a signature and to which its group has been given Enroll permissions.
    1. Create an Active Directory group.
    2. Create an Active Directory user account to use when enrolling with Microsoft AD CS.
    Info About the term user account: In this context, a user account is synonymous with service account. In Windows, a service account is just a user account that represents an application rather than a person.
    1. Add this user to the group you created.
    2. Using the Certification Authority MMC snap-in, right-click on the CA name and select Properties. On the Security tab, add the group and grant it Read, Log on as a service, Issue and Manage Certificates and Request Certificates permissions.
    Info: If you're not familiar with using MMC snap-ins, see Adding an MMC Snap-in below.
    1. Using the Certificate Templates MMC snap-in, right-click on a template that Next-Gen Trust Security will enroll and select Properties. On the Security tab, grant the group Read and Enroll permissions. Repeat this step for all templates that this group will enroll.
    2. Create a Microsoft AD CS Certificate Authority in Next-Gen Trust Security. Next-Gen Trust Security will automatically test that the used group can enroll certificates for the specified templates.

    What's Next

    You're now ready to set up an AD CS certificate authority in Next-Gen Trust Security. Have the following AD CS information ready before you begin:
    • IP or hostname of your Microsoft AD CS server
    • Username and password for the AD CS account you set up in these steps
    • Microsoft AD CS Issuing Certificate Common Name

    Where can I find the Common Name?

    There are two ways to obtain the Common Name of the Issuing Certificate:
    • Open the Issuing Certificate, go to the Details Tab and check the CN value for Issuer.
    • From the Certification Authority MMC snap-in, expand the root node, and the name of the CA itself is the CN of the Issuing Certificate. In the example below, the CN is VaasQATestCA.

    Adding an MMC Snap-in

    If you're unfamiliar with how view the MMC snap-ins referenced in the steps above, follow these steps.
    1. On your Windows server, select Run from the Start menu, and then enter mmc. The MMC opens.
    2. From the File menu, select Add/Remove Snap-in. The Add or Remove Snap-ins window opens.
    3. From the Available snap-ins list on the left, select the snap-in that you want to add, and then click Add.
    4. For the Certificate Authority MMC snap-in, select the computer you want the snap-in to manage. If you're performing these steps from your AD CS server, click Local Computer. Otherwise, select Another Computer and specify your AD CS server.
    5. Click Finish, and then click OK.

    © 2026 Palo Alto Networks, Inc. All rights reserved.