Kerberos Authentication Template � Domain Controller Certificates BEST

Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.

Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.

Kerberos Authentication Template Domain ControllerCertificates

Download https://urlca.com/2y1JxK

By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.

The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called domain controller certificate. Later releases of Windows Server provided a new certificate template called domain controller authentication certificate. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.

The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.

The autoenrollment feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the Kerberos Authentication certificate template.

The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.To see all certificates in the NTAuth store, use the following command:

Windows clients communicate with AD FS via HTTPS. To meet this need, a server authentication certificate must be issued to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by the enterprise PKI. A server authentication certificate template must be configured, so the AD FS nodes can request a certificate.

The CRA enrolls for an enrollment agent certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.

During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.

The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.

The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.

A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.

Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.

Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.

You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use certlm.msc to view certificate in the local computers certificate stores. Expand the Personal store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.

There really are 3 deployment scenarios. Depending on your environment it is possible that you could utilize all 3 if some of your domain controllers have other certificates installed that you need to continue to use. These include Autoenrollment using Certificate Template Supplied Names, Using Custom SANs with Automatic Renewal, Manual Deployment of Certificates to the NTDS Store.

Step 8: Enable the settings Renew expired certificates, update pending certificates, and remove revoked certificates and Update Certificates that use certificate templates

So, if you are happy with the SANs that the Kerberos Authentication template provides, and you do not have Server Authentication certificates on any of your domain controllers. Then congratulations, you get to use the easiest option. The easiest option is deploying the Kerberos Authentication certificate template with Autoenrollment.

So I have ADCS deployed in my environment and my DCs have certificates for both the Domain Controller Authentication template and the Kerberos Authentication template. From what I am able to find it appears that the Kerberos Authentication certificate should be the only one necessary and should be configured to supercede the Domain Controller Authentication template. Is that correct? Is there any harm in "consolidating" to just the Kerberos Authentication template?

As per this question, I have an environment where certificates based on the "Kerberos Authentication" template cannot be issued (there are remote sites without direct connectivity to the CA, certificate enrollment uses CEP/CES, but the Kerberos Authentication template requires the CA to connect back to the requesting DC; full details in the linked question).

While many Active Directory environments use the default settings from 2003, other environments have adapted to enable new functionality, like Windows Hello for Business. To do so, the default Domain Controllers certificates and certificate templates need to be replaced, as they do not fulfill all of the requirements set out for them.

The Domain Controller certificate template is a v1 template. It cannot be modified. The Domain Controller authentication certificate template is a v2 template. It can be modified, but does not support the new Microsoft Cryptographic API (CAPI) with the latest encryption and hashing algorithms. The Kerberos Authentication certificate is a v3 template. Unlike the v2 template, v3 templates and beyond can use the latest cryptographic abilities.

The certificate templates that are superseded by the new certificate template are hard-coded for a Domain Controller to autoenroll. The enrollment for these certificates occurs, despite the lack of an autoenrollment policy. However, to have new certificate templates autoenroll, an autoenrollment policy needs to be created using Group Policy.

To issue the necessary certificates for Windows Hello for Business, all Domain Controllers that request the new certificate template need to run Windows Server 2016, or a newer version of Windows Server.

Did you manage to test this configuration? We are currently deploying FAS for SAML auth, but we have created a new CA for the certificate authentication of sessions. Our domain controllers have certificates issued by a different CA. However, both CA's are signed by the same offline root.

When you install Windows 2008 Certification Authority a new domain controller certificate template named Kerberos Authentication is available. It replaces the Domain Controller Authentication template. If you need more information about the new certificate templates shipped with a Windows 2008 CA you can read this article.

Once the template is well configured and ready for autoenrollment, the new certificates will be deployed automatically, you can run the certutil -pulse command on the domain controllers, in order to speed up the autoenrollment process.

Once all your domain controllers have enrolled the new Kerberos Authentication certificates and you have checked everything is running properly, you can disable the old Domain Controller Authentication template with certsrv.msc in order to avoid installing this kind of certificate on a domain controller. be457b7860