deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update hello-hybrid-key-trust-prereqs.md

Browse Source 
The domain controller certificate requirements in this document is missing SC logon EKU and KDC authentication EKU.
This commit is contained in:
NeoZer01 2019-06-13 09:13:48 -04:00 committed by GitHub
parent 15fb18fb19
commit 8c53f7cb1e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -66,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment. * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), Smart Card Logon (1.3.6.1.4.1.311.20.2.2), and KDC Authentication (1.3.6.1.5.2.3.5)
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController". * The certificate template must have an extension that has the BMP data value "DomainController".
* The domain controller certificate must be installed in the local computer's certificate store. * The domain controller certificate must be installed in the local computer's certificate store.