|
|
|
|
@ -25,13 +25,13 @@ ms.reviewer:
|
|
|
|
|
- Hybrid Deployment
|
|
|
|
|
- Certificate Trust
|
|
|
|
|
|
|
|
|
|
Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
|
|
|
|
|
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
|
|
|
|
|
|
|
|
|
|
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates.
|
|
|
|
|
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
|
|
|
|
|
|
|
|
|
|
## Certificate Templates
|
|
|
|
|
|
|
|
|
|
This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
|
|
|
|
|
This section has you configure certificate templates on your Windows Server 2012 (or later) Active Directory Certificate Services issuing certificate authority.
|
|
|
|
|
|
|
|
|
|
### Domain Controller certificate template
|
|
|
|
|
|
|
|
|
|
@ -39,13 +39,13 @@ Clients need to trust domain controllers and the best way to do this is to ensur
|
|
|
|
|
|
|
|
|
|
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
|
|
|
|
|
|
|
|
|
|
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
|
|
|
|
|
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
|
|
|
|
|
|
|
|
|
|
#### Create a Domain Controller Authentication (Kerberos) Certificate Template
|
|
|
|
|
|
|
|
|
|
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Right-click **Certificate Templates** and click **Manage**.
|
|
|
|
|
|
|
|
|
|
@ -66,15 +66,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
|
|
|
|
|
|
|
|
|
|
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
|
|
|
|
|
|
|
|
|
|
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
|
|
|
|
|
Many domain controllers may have an existing domain controller certificate. Active Directory Certificate Services provides a default certificate template for domain controllers--the Domain Controller certificate template. Later releases provided a new certificate template--the Domain Controller Authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
|
|
|
|
|
|
|
|
|
|
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
|
|
|
|
|
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers (2008 or later).
|
|
|
|
|
|
|
|
|
|
The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
|
|
|
|
|
The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate based on the Kerberos Authentication certificate template.
|
|
|
|
|
|
|
|
|
|
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Right-click **Certificate Templates** and click **Manage**.
|
|
|
|
|
|
|
|
|
|
@ -86,31 +86,32 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
|
|
|
|
|
|
|
|
|
|
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
|
|
|
|
|
|
|
|
|
|
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
|
|
|
|
|
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template, and click **OK**.
|
|
|
|
|
|
|
|
|
|
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
|
|
|
|
|
|
|
|
|
|
9. Click **OK** and close the **Certificate Templates** console.
|
|
|
|
|
|
|
|
|
|
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
|
|
|
|
|
The certificate template is configured to supersede all the certificate templates listed in the superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
|
|
|
|
|
> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail.
|
|
|
|
|
> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers.
|
|
|
|
|
|
|
|
|
|
### Enrollment Agent certificate template
|
|
|
|
|
|
|
|
|
|
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
|
|
|
|
|
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
|
|
|
|
|
|
|
|
|
|
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
|
|
|
|
|
Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
|
|
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
|
|
|
|
> Follow the procedures below based on the AD FS service account used in your environment.
|
|
|
|
|
> Follow the procedures below based on the AD FS service account used in your environment.
|
|
|
|
|
|
|
|
|
|
#### Creating an Enrollment Agent certificate for Group Managed Service Accounts
|
|
|
|
|
|
|
|
|
|
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
|
|
|
|
|
Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority Management** console.
|
|
|
|
|
1. Open the **Certification Authority Management** console.
|
|
|
|
|
|
|
|
|
|
2. Right-click **Certificate Templates** and click **Manage**.
|
|
|
|
|
|
|
|
|
|
@ -123,7 +124,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
|
|
|
|
|
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
|
|
|
|
|
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
|
|
|
|
|
|
|
|
|
|
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
|
|
|
|
|
|
|
|
|
|
@ -139,9 +140,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
|
|
|
|
|
|
|
|
|
|
#### Creating an Enrollment Agent certificate for typical Service Accounts
|
|
|
|
|
|
|
|
|
|
Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
|
|
|
|
|
Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Right-click **Certificate Templates** and click **Manage**.
|
|
|
|
|
|
|
|
|
|
@ -163,11 +164,11 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
|
|
|
|
|
|
|
|
|
|
### Creating Windows Hello for Business authentication certificate template
|
|
|
|
|
|
|
|
|
|
During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
|
|
|
|
|
During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
|
|
|
|
|
|
|
|
|
|
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
|
|
|
|
|
Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Right-click **Certificate Templates** and click **Manage**.
|
|
|
|
|
|
|
|
|
|
@ -175,10 +176,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
|
|
|
|
|
|
|
|
|
|
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
|
|
|
|
|
|
|
|
|
|
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
|
|
|
|
|
5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
|
|
|
|
|
> If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment.
|
|
|
|
|
|
|
|
|
|
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
|
|
|
|
|
|
|
|
|
|
@ -231,39 +232,39 @@ CertUtil: -dsTemplate command completed successfully."
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
|
|
|
|
|
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
|
|
|
|
|
|
|
|
|
|
## Publish Templates
|
|
|
|
|
|
|
|
|
|
### Publish Certificate Templates to a Certificate Authority
|
|
|
|
|
|
|
|
|
|
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
|
|
|
|
|
The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
|
|
|
|
|
|
|
|
|
|
#### Publish Certificate Templates to the Certificate Authority
|
|
|
|
|
|
|
|
|
|
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Expand the parent node from the navigation pane.
|
|
|
|
|
|
|
|
|
|
3. Click **Certificate Templates** in the navigation pane.
|
|
|
|
|
|
|
|
|
|
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
|
|
|
|
|
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**.
|
|
|
|
|
|
|
|
|
|
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
|
|
|
|
|
5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
|
|
|
|
|
|
|
|
|
|
6. Close the console.
|
|
|
|
|
|
|
|
|
|
#### Unpublish Superseded Certificate Templates
|
|
|
|
|
|
|
|
|
|
The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
|
|
|
|
|
The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates.
|
|
|
|
|
|
|
|
|
|
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
|
|
|
|
|
The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities.
|
|
|
|
|
|
|
|
|
|
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
|
|
|
|
|
Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials.
|
|
|
|
|
|
|
|
|
|
1. Open the **Certificate Authority** management console.
|
|
|
|
|
1. Open the **Certification Authority** management console.
|
|
|
|
|
|
|
|
|
|
2. Expand the parent node from the navigation pane.
|
|
|
|
|
|
|
|
|
|
|
Denise Vangel-MSFT