From 3b7d2c9401e71dc96e843576d661d86d59de3e8f Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Tue, 22 Aug 2017 11:33:07 -0700 Subject: [PATCH] content changes --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 6114139e30..c41303b9ee 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -33,7 +33,7 @@ This section has you configure certificate templates on your Windows Server 2012 ### Domain Controller certificate template -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. +Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.