From 7ba35480216c631cbcebf73d465006ba658c04e7 Mon Sep 17 00:00:00 2001 From: Steven Hosking Date: Tue, 8 Sep 2020 11:01:27 +1000 Subject: [PATCH] Updated the Domain Controller requirements: added minimum hash, and public key. --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8df0ef33bb..4c672e4433 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -76,10 +76,12 @@ Certificate authorities write CRL distribution points in certificates as they ar Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. -- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. - Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. +- The domain controller's certificate's signature hash algorithm is **sha256**. +- The domain controller's certificate's public key is **RSA (2048 Bits)**. > [!Tip]