TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios

Reading Time: 5 minutes

While many Active Directory environments use the default settings from 2003, other environments have adapted to enable new functionality, like Windows Hello for Business. To do so, the default Domain Controllers certificates and certificate templates need to be replaced, as they do not fulfill all of the requirements set out for them.

This blogpost shows how to issue the right certificates to Domain Controllers.

About Domain Controller Certificates

Domain Controllers use certificates for several purposes:

  • To verify their identities as Domain Controllers for the Active Directory domain
  • To provide smart card authentication
  • To encrypt traffic when acting as a host offering the secure Lightweight Directory Access Protocol (LDAPS)

Optionally, they can use their certificates for IPSec communications.

All certificates used by Domain Controllers are stored in their local computer’s personal certificate stores.

History of recommended Domain Controller certificates

Throughout the history of Active Directory, several superseding certificate configurations have been issued to Domain Controllers. The Domain Controller certificate template, initially requested by Windows 2000 server-based Domain Controllers and issued by Windows 2000 Server-based CAs was superseded by the Domain Controller Authentication certificate template. Since Windows Server 2008, the Kerberos Authentication certificate template is recommended to issue to Domain Controllers.

The Domain Controller certificate template is a v1 template. It cannot be modified. The Domain Controller authentication certificate template is a v2 template. It can be modified, but does not support the new Microsoft Cryptographic API (CAPI) with the latest encryption and hashing algorithms. The Kerberos Authentication certificate is a v3 template. Unlike the v2 template, v3 templates and beyond can use the latest cryptographic abilities.

Since Windows Server 2012, v4 templates allow the option to Renew with the same key on the Request Handling tab of the properties for a certificate template.

LDAP and LDAPS are typically used by non-domain-joined devices and services. LDAPS provide encryption based on TLS, whereas LDAP doesn’t provide encryption of the traffic exchanged with the Domain Controller. For offering the secure Lightweight Directory Access Protocol (LDAPS), by default, a Domain Controller uses a self-signed certificate with a validity period of 1 year.

To provide a valid certificate for this purpose, a proper certificate should be enrolled. The Kerberos Authentication certificate template provides the necessary certificate for this purpose.

The Kerberos Authentication certificate template is recommended, as it includes both the Active Directory domain name and the Domain Controller’s fully qualified domain name as its subject and, by default, supports the following purposes:

  • Server Authentication
  • Client Authentication
  • Smart Card Logon
  • KDC Authentication

Windows Hello for Business

For Windows Hello for Business, a feature introduced in Windows 10, the built-in Kerberos Authentication certificate template needs to be updated to comply with the certificate template settings outlined in the Microsoft Docs.

Autoenrollment

The certificate templates that are superseded by the new certificate template are hard-coded for a Domain Controller to autoenroll. The enrollment for these certificates occurs, despite the lack of an autoenrollment policy. However, to have new certificate templates autoenroll, an autoenrollment policy needs to be created using Group Policy.

Getting ready

To issue Kerberos Authentication certificates to Domain Controllers, the Certification Authority (CA) needs to run Windows Server 2008 R2, or a newer version of Windows Server.

Certificate autoenrollment is a feature of enterprise Certification Authorities (CAs). It cannot be configured on a standalone CA.

For the steps below, sign in to the Enterprise CA with a domain account that is a member of the Enterprise Admins group.

To issue the necessary certificates for Windows Hello for Business, all Domain Controllers that request the new certificate template need to run Windows Server 2016, or a newer version of Windows Server.

To create a group policy object (GPO) and manage its settings, sign in to a system with the Group Policy Management Console installed with an account that is a member of the Domain Admins group, per Active Directory domain.

Specifying the right Certificate Template

Before enabling the certificate autoenrollment policy through Group Policy, configure the Kerberos Authentication certificate template to supersede the Domain Controller and Domain Controller Authentication certificate templates.

Perform these steps to do so:

  1. Press Start.
  2. Search for the Certification Authority management console or run certsrv.msc. The Certification Authority window appears.
  3. In the left navigation pane, expand the node representing the CA. Right-click the Certificate Templates node and select Manage from the context menu to manage certificate templates.
    The Certificate Templates Console (certtmpl.msc) window appears.
  4. In the main pane, select the Kerberos Authentication certificate template.
  5. Right-click the certificate template and select Duplicate Template from the context menu.
    The Properties of New Template window appears.
  6. On the Compatibility tab, make the following changes in the Compatibility Settings area:
    1. Change the value for Certification Authority to at least Windows Server 2008 R2, specifying the earliest Windows Server version acting as CA that will issue this certificate template. The Resulting changes pup-up window appears. Click OK to dismiss it.
    2. Change the value for Certification recipient to at least Windows 7 / Windows Server 2008 R2, specifying the earliest Windows Server version acting as clients that will request this certificate template. The Resulting changes pup-up window appears. Click OK to dismiss it.
  7. Navigate to the Subject Name tab.
  8. Make sure the settings for the certificate template’s subject name are configured as in the below screenshot:
                                                                                                                                        
    The New Template's Subject Name tab
                                                                                                                                        
  9. Navigate to the Cryptography tab.
  10. On the Cryptography tab, make the following changes:
    1. Change the Provider Category to Key Storage Provider.
      This should change the Algorithm name to RSA and the value for Minimum key size to 2048. If it doesn’t, change it to these values.
    2. Change the value for Request hash to SHA256.
  11. Navigate to the Superseded Templates tab.
  12. Click the Add… button.
    The Add Superseded Template pop-up window appears.
  13. Select the following certificate templates using the Shift button to select multiple templates:
    • Directory Email Replication
    • Domain Controller
    • Domain Controller Authentication
    • Kerberos Authentication
  14. Click OK.
  15. Navigate to the General tab.
  16. Provide a meaningful name for the certificate template in the Template display name: and the Template name: fields.
  17. Click OK to save the new template.
    The Properties of New Template window closes.
  18. In the Certification Authority management console, select the Certificate Templates node in the left navigation menu.
  19. From the Action menu, select New, then click Certificate Template to Issue.
    The Enable Certificate Templates window appears.
  20. Select the newly created certificate template from the list of available certificate templates.
  21. Click OK.

With these steps completed, disable the superseded certificate templates.

Configuring the Domain Controllers for Autoenrollment

With the right Certificate Template present, we’ll now configure the group policy for autoenrollment. Any previously enrolled certificate based on the superseded certificate templates will be removed and replaced by a certificate, based on the new certificate template.

Certificate autoenrollment is based on Group Policy. Perform these steps to configure Group Policy settings for autoenrollment:

  1. Press Start.
  2. Search for Group Policy Management or run gpmc.msc.
    The Group Policy Management window appears.
  3. In the left navigation pane, expand the Forest node.
  4. Expand the Domains node, and then navigate to the domain where you want to create the Group Policy object (GPO).
  5. Expand the domain name and select the Group Policy Objects node.
  6. Right-click the Group Policy Objects node and select New from the context menu.
    The New GPO pop-up window appears.
  7. Enter the name for the GPO.
  8. Make sure that you don’t select Starter GPOs.
  9. Click OK to create the GPO.
  10. Locate the newly created GPO in the main pane.
  11. Right-click the GPO and select Edit from the context menu.
    The Group Policy Management Editor window appears.
  12. Expand the Computer Configuration node.
  13. Expand the Policies node.
  14. Expand the Windows Settings node.
  15. Expand the Security Settings node.
  16. Select the Public Key Policies node.
  17. In the main pane, right-click the Certificate Services client – Auto-Enrollment setting and select Properties from the context menu.
    The Certificate Services client – Auto-Enrollment Properties window appears.
  18. Change the setting for the Configuration Model: setting to Enabled.
  19. Select the Renew expired certificates, update pending certificates, and remove revoked certificates option.
  20. Select the Update certificates that use certificate templates option.
  21. Click OK to save the Group Policy setting and close the Certificate Services client – Auto-Enrollment Properties window.
  22. Close the Group Policy Management Editor window.
  23. In the Group Policy Management window, in the left navigation pane, select the Domain Controllers OU.
  24. Right-click the Domain Controllers OU and select Link an Existing GPO… from the context menu.
    The Select GPO pop-up window appears.
  25. Select the newly created GPO from the list of Group Policy objects:.
  26. Click OK.

As the group policy setting is enabled within the Computer Configuration part of the GPO, the Domain Controller will automatically enroll certificates that are configured for autoenrollment, when:

  • The server reboots
  • A group policy background refresh occurs
  • When you perform the following command: certutil.exe –pulse


Concluding

Update your Domain Controllers to the 20s and create a Certificate Template that allows the Windows Hello for Business hybrid scenarios.

Posted on September 14, 2022 by Sander Berkouwer in Active Directory, Recommended Practices, Windows Hello for Business

2 Responses to TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios

  1.  

    Hello,

    I am completely lost, our CA does not seem to renew the KDC and our WHfB always gives the error Status 0xc000005e even after following this TODO… If only I could have the help of an expert

    from Alexis Belanger April 2, 2024 at 3:05 AM

    • Hi Alexis,

      Is the remain validity time of the issuing Certification Authority (CA) longer than the period for which you want issue certificates? If not, renew the certificate for all CAs in the chain that have CA certificates expiring within the time frame for which you want to deploy certificate.

      Is the encryption strength of the key material for all CAs in the chain at a minimum SHA-2 (or up)? In previous versions, the private key for certificates defaulted to 1024 bit key length and SHA-1 (this was addressed in Windows Server 2022). If not, upgrade all CAs in the chain that have SHA-1 and 1024 bit lengths to use SHA-2 certificates with at least a 2048 bit key length (or longer).

      from Sander Berkouwer April 2, 2024 at 8:26 PM
       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.