From 8f5b09d2bb617d362443c7fc94c4b76d0bdd4175 Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 17 Mar 2021 09:40:04 -0700 Subject: [PATCH 1/3] Fixing note on NTAuth store The NTauth store note should be updated to match the note here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index c05de0195e..44b43a3491 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -81,7 +81,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. +> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. +> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. ### Publish Certificate Templates to a Certificate Authority From 636168271d3ea07ce79680aeb01bab57074fefb1 Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 24 Mar 2021 17:29:18 -0700 Subject: [PATCH 2/3] Update hello-hybrid-key-whfb-settings-pki.md --- .../hello-hybrid-key-whfb-settings-pki.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index f087afb078..c246964c99 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -82,11 +82,7 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. -> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. The following PowerShell command can be used to check all certificates in the NTAuth store: -> ->```powershell ->Certutil -viewstore -enterprise NTAuth ->``` +> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. To see all certificates in the NTAuth store run **Certutil -viewstore -enterprise NTAuth** ### Publish Certificate Templates to a Certificate Authority From 7a49a840784f482b5adb5ed602a7cd19e0510e19 Mon Sep 17 00:00:00 2001 From: Kateyanne <67609554+Kateyanne@users.noreply.github.com> Date: Thu, 25 Mar 2021 09:01:02 -0700 Subject: [PATCH 3/3] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index c246964c99..f69acb002a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -82,7 +82,7 @@ The certificate template is configured to supersede all the certificate template > [!NOTE] > A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail. -> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. To see all certificates in the NTAuth store run **Certutil -viewstore -enterprise NTAuth** +> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. To see all certificates in the NTAuth store, run **Certutil -viewstore -enterprise NTAuth** from the command-line interface (Cmd.exe). ### Publish Certificate Templates to a Certificate Authority