From 6ebb5527816f1610a68db624b7dcdf9471520d19 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 9 Jan 2021 19:23:07 +0500 Subject: [PATCH 1/4] Update in the note section As pointed by the user, the note section of the document has been updated to reflect the correct information regarding NTAuth. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8709 --- .../hello-hybrid-key-whfb-settings-pki.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 87b70bbd2c..f4f7a6860f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. +> The CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail. + +To check the NTAuth certificate, you can use the below powershell command + +```powershell +Certutil -viewstore -enterprise NTAuth +``` ### Publish Certificate Templates to a Certificate Authority From 545a69ee3fd407ff7cede0114ffc8328f11e3c12 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 9 Jan 2021 19:32:52 +0500 Subject: [PATCH 2/4] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index f4f7a6860f..614cd3be6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -83,7 +83,7 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > The CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail. -To check the NTAuth certificate, you can use the below powershell command +The following PowerShell command can be used to check the NTAuth certificate: ```powershell Certutil -viewstore -enterprise NTAuth From a2f324116bab5d0c9c204299a1ac142f17b891a8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Feb 2021 10:41:52 +0500 Subject: [PATCH 3/4] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md Co-authored-by: mapalko --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 614cd3be6f..b00b4cc551 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -81,7 +81,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> The CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail. +> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail. The following PowerShell command can be used to check the NTAuth certificate: From cec0159439a48c31b76f9ccbd3b97ff3ec28ae25 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Feb 2021 10:42:12 +0500 Subject: [PATCH 4/4] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md Co-authored-by: mapalko --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index b00b4cc551..9773a3fe79 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -83,7 +83,7 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail. -The following PowerShell command can be used to check the NTAuth certificate: +The following PowerShell command can be used to check all certificates in the NTAuth store: ```powershell Certutil -viewstore -enterprise NTAuth