deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-12-12 08:55:48 -05:00
parent 1872d46ff6
commit 066958a306
2 changed files with 42 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -12,7 +12,7 @@ ms.topic: tutorial
Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.
The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
## Create the Windows Hello for Business Users security group

84
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -12,7 +12,7 @@ ms.topic: tutorial
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients, to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority
## Deploy an enterprise certification authority
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.
@ -20,17 +20,17 @@ This guide assumes most enterprises have an existing public key infrastructure.
The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certificate authority installed.
Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority installed.
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
>Never install a certification authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt
1. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
3. Use the following command to configure the certification authority using a basic certification authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```
@ -41,39 +41,37 @@ If you do have an existing PKI, review [Certification Authority Guidance](/previ
### Configure Domain Controller Certificates
Clients must to trust the domain controllers, and the way to do this is to ensure each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certificate authority.
Clients must to trust the domain controllers, and the way to do this is to ensure each domain controller has a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certification authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
By default, the Active Directory certificate authority provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
By default, the Active Directory certification authority provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
Sign in to a certificate authority or management workstations with *Domain Admintistrator* equivalent credentials.
Sign in to a certification authority or management workstations with *Domain Admintistrator* equivalent credentials.
1. Open the **Certificate Authority** management console
1. Open the **Certification Authority** management console
1. Right-click **Certificate Templates > Manage**
1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template**
1. On the **Compatibility** tab:
- Clear the **Show resulting changes** check box
- Select **Windows Server 2008 R2** from the **Certification Authority** list
- Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list
- Clear the **Show resulting changes** check box
- Select **Windows Server 2016** from the **Certification Authority** list
- Select **Windows 10 / Windows Server 2016** from the **Certification Recipient** list
1. On the **General** tab
- Type *Domain Controller Authentication (Kerberos)* in Template display name
- Adjust the validity and renewal period to meet your enterprise's needs
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
- Type *Domain Controller Authentication (Kerberos)* in Template display name
- Adjust the validity and renewal period to meet your enterprise's needs
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
1. On the **Subject Name** tab:
- Select the **Build from this Active Directory information** button if it is not already selected
- Select **None** from the **Subject name format** list
- Select **DNS name** from the **Include this information in alternate subject** list
- Clear all other items
- Select the **Build from this Active Directory information** button if it is not already selected
- Select **None** from the **Subject name format** list
- Select **DNS name** from the **Include this information in alternate subject** list
- Clear all other items
1. On the **Cryptography** tab:
- select **Key Storage Provider** from the **Provider Category** list
- Select **RSA** from the **Algorithm name** list
- Type *2048* in the **Minimum key size** text box
- Select **SHA256** from the **Request hash** list
1. Select **OK**
- select **Key Storage Provider** from the **Provider Category** list
- Select **RSA** from the **Algorithm name** list
- Type *2048* in the **Minimum key size** text box
- Select **SHA256** from the **Request hash** list
1. Select **OK**
1. Close the console
### Supersede the existing domain controller certificate
@ -83,27 +81,27 @@ The domain controllers may have an existing domain controller certificate. The A
The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\
The *autoenrollment* feature allows to easily replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
Sign in to a certificate authority or management workstations with *Enterprise Administrator* equivalent credentials
Sign in to a certification authority or management workstations with *Enterprise Administrator* equivalent credentials
1. Open the **Certificate Authority** management console
1. Open the **Certification Authority** management console
1. Right-click **Certificate Templates > Manage**
1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties**
1. Select the **Superseded Templates** tab. Select **Add**
1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add**
1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK**
1. From the **Add Superseded Template dialog**, select the *Kerberos Authentication* certificate template and select **OK**
1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK**
1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab
1. Select **OK** and close the **Certificate Templates** console
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until the certificate template is published to one or more certificate authorities.
### Configure an Internal Web Server Certificate template
Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
Sign in to a certification authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@ -128,13 +126,13 @@ Sign in to a certificate authority or management workstations with _Domain Admin
### Unpublish Superseded Certificate Templates
The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
The certification authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certification authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
Sign in to the certification authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
@ -144,13 +142,13 @@ Sign in to the certificate authority or management workstation with _Enterprise
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
### Publish Certificate Templates to the Certificate Authority
### Publish Certificate Templates to the certification authority
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
The certification authority may only issue certificates for certificate templates that are published to that certification authority. If you have more than one certification authority and you want that certification authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
Sign in to the certificate authority or management workstations with **Enterprise Admin** equivalent credentials.
Sign in to the certification authority or management workstations with **Enterprise Admin** equivalent credentials.
1. Open the **Certificate Authority** management console.
1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
@ -158,11 +156,11 @@ Sign in to the certificate authority or management workstations with **Enterpris
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certification authority.
6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
\* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
\* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the certification authority console and select **Delete**. Click **Yes** to confirm the operation.
7. Close the console.
@ -234,7 +232,7 @@ Windows triggers automatic certificate enrollment for the computer during boot,
Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt.
Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
> [!div class="nextstepaction"]
> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md)