From 94cd2bde7d93198c9e0170ffa2e91de81c060994 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 5 Apr 2020 11:52:44 +0500 Subject: [PATCH] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 97c87a6d14..2e296b0040 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The requirements for the Domain Controller certificate are shown below, more detailed version could be found [here](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). @@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -* The certificate template must have an extension that has the BMP data value "DomainController". +* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). * The domain controller certificate must be installed in the local computer's certificate store.