From 6b4807437539b15e0a7b0679efd172c8a2b9ffc3 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 11 Mar 2019 10:42:38 -0600 Subject: [PATCH] Issue #2746 DC Certificate --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4ddd3e27d4..064b6c491d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -68,13 +68,19 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certifcate? -Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. + +> [!Tip] +> If you are using windows server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing/re-issuing the certificate. + + ## Configuring a CRL Distribution Point for an issuing certificate authority Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point.