From 6b4807437539b15e0a7b0679efd172c8a2b9ffc3 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 11 Mar 2019 10:42:38 -0600 Subject: [PATCH 1/5] Issue #2746 DC Certificate --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4ddd3e27d4..064b6c491d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -68,13 +68,19 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certifcate? -Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. + +> [!Tip] +> If you are using windows server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing/re-issuing the certificate. + + ## Configuring a CRL Distribution Point for an issuing certificate authority Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. From f89786f02a137f19ec86a77859527940a8bd39db Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 11 Mar 2019 12:07:17 -0600 Subject: [PATCH 2/5] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-Authored-By: j0rt3g4 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 064b6c491d..3f8546ed0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -78,7 +78,7 @@ Windows Hello for Business enforces the strict KDC validation security feature, > [!Tip] -> If you are using windows server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing/re-issuing the certificate. +> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. ## Configuring a CRL Distribution Point for an issuing certificate authority From 72c7f7416995837e2ee53b722150a0a6aa5a94d0 Mon Sep 17 00:00:00 2001 From: Joyce Y <47188252+mypil@users.noreply.github.com> Date: Mon, 11 Mar 2019 13:09:14 -0600 Subject: [PATCH 3/5] Apply suggestions from code review done Co-Authored-By: j0rt3g4 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 3f8546ed0e..a006babc6d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -66,7 +66,7 @@ If you are interested in configuring your environment to use the Windows Hello f Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory -#### Why does Windows need to validate the domain controller certifcate? +#### Why does Windows need to validate the domain controller certificate? Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: From 21798759651cbb2b5f2b51138c05c7f7408aaa20 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 11 Mar 2019 14:15:34 -0600 Subject: [PATCH 4/5] Changing some typos --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index a006babc6d..6b2ff4bb41 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -170,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow 9. Click **Close** in the **cdp Properties** dialog box. -### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority +### Configure the new CRL distribution point and Publishing location in the issuing certifiate authority The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point From f183f71e1ada98945592404c1d3a1c8f3dc1a062 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 11 Mar 2019 14:16:45 -0600 Subject: [PATCH 5/5] Fixed another typo --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 6b2ff4bb41..d231dc9a9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -170,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow 9. Click **Close** in the **cdp Properties** dialog box. -### Configure the new CRL distribution point and Publishing location in the issuing certifiate authority +### Configure the new CRL distribution point and Publishing location in the issuing certificate authority The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point