From 8c53f7cb1ef1aa2fd7477bf367d2620a16ea308d Mon Sep 17 00:00:00 2001 From: NeoZer01 Date: Thu, 13 Jun 2019 09:13:48 -0400 Subject: [PATCH] Update hello-hybrid-key-trust-prereqs.md The domain controller certificate requirements in this document is missing SC logon EKU and KDC authentication EKU. --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1573d9e947..087f0a84a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -66,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. -* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). +* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), Smart Card Logon (1.3.6.1.4.1.311.20.2.2), and KDC Authentication (1.3.6.1.5.2.3.5) * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the BMP data value "DomainController". * The domain controller certificate must be installed in the local computer's certificate store.