While going through the Release Notes for the Windows Server Technical Preview and the Release Notes for Windows 10, I noticed something quite interesting:
If you join a computer with Trusted Platform Management (TPM) enabled to a domain in which there are no domain controllers running at least Windows Server 2012, computer authentication and those services running under Local, Network, or Virtual permissions will fail.
To correct this, on the computer you want to join to the domain, create a new registry key with DWORD value DevicePKInitEnabled under HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters. Set this key to 0 and then restart the computer.
So what’s going on here?
One of the new features in the next versions of Windows and Windows Server is support for device authentication using certificates. This feature requires connectivity to a Domain Controller in the device account domain which supports certificate authentication for computer accounts.
The DevicePKInitEnabled value in the registry allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. By default, the device will attempt to authenticate using its certificate.
Since pre-Windows Server 2012 Domain Controllers do not support computer account authentication using certicates, authentication fails, NTSTATUS value 0xC00002F9 (STATUS_PKINIT_NAME_MISMATCH) will be logged, and you may receive an error reading The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Please contact your administrator. when you start a Windows 10 Technical Preview or Windows Server Technical Preview-based virtual machine.
Using the registry
The solution, is to create a new registry key with DWORD value DevicePKInitEnabled under HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters. Set this key to 0 and then restart the computer.
Using a script
Meddling with the Windows registry can be time consuming, so alternatively you can run the following command from an elevated command prompt:
Reg add HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v DevicePKinitEnabled /t REG_DWORD /d 0
Using Group Policy
Alternatively, you can correct this behavior using Group Policy. Windows 10 Technical Preview or Windows Server Technical Preview both support a new Group Policy setting named Support device authentication using certificate under Computer Configuration, Administrative Templates, System, Kerberos to correct this behavior:
When this Group Policy setting is Not Configured, the device in scope for the Group Policy will attempt to authenticate using its certificate.
When you enable this Group Policy setting, Device authentication behavior using certificate: is set to Automatic, the aforementioned DWORD value DevicePKInitEnabled will be created (if not already present) in the Windows registry on devices running Windows 10 Technical Preview (and up) and Windows Server Technical Preview (and up) with a value of 1. When you change the value for Device authentication behavior using certificate: to Force, the DWORD value DevicePKInitEnabled will be created in the Windows registry (if not already present) on devices running Windows 10 Technical Preview (and up) and Windows Server Technical Preview (and up) with a value of 2.
When you disable this Group Policy setting, the DWORD value DevicePKInitEnabled will be created in the Windows registry (if not already present) on devices running Windows 10 Technical Preview (and up) and Windows Server Technical Preview (and up) with a value of 0, effectively achieving the same as you would achieve when you create the value yourself as mentioned as the workaround.
The other way around
Of course, you could also fix this issue by upgrading at least one Domain Controller to Windows Server 2012 in the Active Directory domain where the device account resides.
Here’s an elaborate Howto.
Device Authentication using certificates is a welcome addition to Windows, but unfortunately not every environment is ready for it, today.
Release Notes: Important Issues in Windows Server Technical Preview
Release notes: Important issues in Windows 10 Technical Preview
2.3.1 NTSTATUS values
Microsoft Devices Security, Virtual Smart Cards Part 1: Introduction and TPM
A Trusted Ticket System for Kerberos
Next Release of Windows Server Hyper-V