While many Active Directory environments use the default settings from 2003, other environments have adapted to enable new functionality, like Windows Hello for Business. To do so, the default Domain Controllers certificates and certificate templates need to be replaced, as they do not fulfill all of the requirements set out for them.
This blogpost shows how to issue the right certificates to Domain Controllers.
About Domain Controller Certificates
Domain Controllers use certificates for several purposes:
- To verify their identities as Domain Controllers for the Active Directory domain
- To provide smart card authentication
- To encrypt traffic when acting as a host offering the secure Lightweight Directory Access Protocol (LDAPS)
Optionally, they can use their certificates for IPSec communications.
All certificates used by Domain Controllers are stored in their local computer’s personal certificate stores.
History of recommended Domain Controller certificates
Throughout the history of Active Directory, several superseding certificate configurations have been issued to Domain Controllers. The Domain Controller certificate template, initially requested by Windows 2000 server-based Domain Controllers and issued by Windows 2000 Server-based CAs was superseded by the Domain Controller Authentication certificate template. Since Windows Server 2008, the Kerberos Authentication certificate template is recommended to issue to Domain Controllers.
The Domain Controller certificate template is a v1 template. It cannot be modified. The Domain Controller authentication certificate template is a v2 template. It can be modified, but does not support the new Microsoft Cryptographic API (CAPI) with the latest encryption and hashing algorithms. The Kerberos Authentication certificate is a v3 template. Unlike the v2 template, v3 templates and beyond can use the latest cryptographic abilities.
Since Windows Server 2012, v4 templates allow the option to Renew with the same key on the Request Handling tab of the properties for a certificate template.
LDAP and LDAPS are typically used by non-domain-joined devices and services. LDAPS provide encryption based on TLS, whereas LDAP doesn’t provide encryption of the traffic exchanged with the Domain Controller. For offering the secure Lightweight Directory Access Protocol (LDAPS), by default, a Domain Controller uses a self-signed certificate with a validity period of 1 year.
To provide a valid certificate for this purpose, a proper certificate should be enrolled. The Kerberos Authentication certificate template provides the necessary certificate for this purpose.
The Kerberos Authentication certificate template is recommended, as it includes both the Active Directory domain name and the Domain Controller’s fully qualified domain name as its subject and, by default, supports the following purposes:
- Server Authentication
- Client Authentication
- Smart Card Logon
- KDC Authentication
Windows Hello for Business
For Windows Hello for Business, a feature introduced in Windows 10, the built-in Kerberos Authentication certificate template needs to be updated to comply with the certificate template settings outlined in the Microsoft Docs.
Autoenrollment
The certificate templates that are superseded by the new certificate template are hard-coded for a Domain Controller to autoenroll. The enrollment for these certificates occurs, despite the lack of an autoenrollment policy. However, to have new certificate templates autoenroll, an autoenrollment policy needs to be created using Group Policy.
Getting ready
To issue Kerberos Authentication certificates to Domain Controllers, the Certification Authority (CA) needs to run Windows Server 2008 R2, or a newer version of Windows Server.
Certificate autoenrollment is a feature of enterprise Certification Authorities (CAs). It cannot be configured on a standalone CA.
For the steps below, sign in to the Enterprise CA with a domain account that is a member of the Enterprise Admins group.
To issue the necessary certificates for Windows Hello for Business, all Domain Controllers that request the new certificate template need to run Windows Server 2016, or a newer version of Windows Server.
To create a group policy object (GPO) and manage its settings, sign in to a system with the Group Policy Management Console installed with an account that is a member of the Domain Admins group, per Active Directory domain.
Specifying the right Certificate Template
Before enabling the certificate autoenrollment policy through Group Policy, configure the Kerberos Authentication certificate template to supersede the Domain Controller and Domain Controller Authentication certificate templates.
Perform these steps to do so:
- Press Start.
- Search for the Certification Authority management console or run certsrv.msc. The Certification Authority window appears.
- In the left navigation pane, expand the node representing the CA. Right-click the Certificate Templates node and select Manage from the context menu to manage certificate templates.
The Certificate Templates Console (certtmpl.msc) window appears. - In the main pane, select the Kerberos Authentication certificate template.
- Right-click the certificate template and select Duplicate Template from the context menu.
The Properties of New Template window appears. - On the Compatibility tab, make the following changes in the Compatibility Settings area:
- Change the value for Certification Authority to at least Windows Server 2008 R2, specifying the earliest Windows Server version acting as CA that will issue this certificate template. The Resulting changes pup-up window appears. Click OK to dismiss it.
- Change the value for Certification recipient to at least Windows 7 / Windows Server 2008 R2, specifying the earliest Windows Server version acting as clients that will request this certificate template. The Resulting changes pup-up window appears. Click OK to dismiss it.
- Navigate to the Subject Name tab.
- Make sure the settings for the certificate template’s subject name are configured as in the below screenshot:
- Navigate to the Cryptography tab.
- On the Cryptography tab, make the following changes:
- Change the Provider Category to Key Storage Provider.
This should change the Algorithm name to RSA and the value for Minimum key size to 2048. If it doesn’t, change it to these values. - Change the value for Request hash to SHA256.
- Navigate to the Superseded Templates tab.
- Click the Add… button.
The Add Superseded Template pop-up window appears. - Select the following certificate templates using the Shift button to select multiple templates:
- Directory Email Replication
- Domain Controller
- Domain Controller Authentication
- Kerberos Authentication
- Click OK.
- Navigate to the General tab.
- Provide a meaningful name for the certificate template in the Template display name: and the Template name: fields.
- Click OK to save the new template.
The Properties of New Template window closes. - In the Certification Authority management console, select the Certificate Templates node in the left navigation menu.
- From the Action menu, select New, then click Certificate Template to Issue.
The Enable Certificate Templates window appears. - Select the newly created certificate template from the list of available certificate templates.
- Click OK.
With these steps completed, disable the superseded certificate templates.
Configuring the Domain Controllers for Autoenrollment
With the right Certificate Template present, we’ll now configure the group policy for autoenrollment. Any previously enrolled certificate based on the superseded certificate templates will be removed and replaced by a certificate, based on the new certificate template.
Certificate autoenrollment is based on Group Policy. Perform these steps to configure Group Policy settings for autoenrollment:
- Press Start.
- Search for Group Policy Management or run gpmc.msc.
The Group Policy Management window appears. - In the left navigation pane, expand the Forest node.
- Expand the Domains node, and then navigate to the domain where you want to create the Group Policy object (GPO).
- Expand the domain name and select the Group Policy Objects node.
- Right-click the Group Policy Objects node and select New from the context menu.
The New GPO pop-up window appears. - Enter the name for the GPO.
- Make sure that you don’t select Starter GPOs.
- Click OK to create the GPO.
- Locate the newly created GPO in the main pane.
- Right-click the GPO and select Edit from the context menu.
The Group Policy Management Editor window appears. - Expand the Computer Configuration node.
- Expand the Policies node.
- Expand the Windows Settings node.
- Expand the Security Settings node.
- Select the Public Key Policies node.
- In the main pane, right-click the Certificate Services client – Auto-Enrollment setting and select Properties from the context menu.
The Certificate Services client – Auto-Enrollment Properties window appears. - Change the setting for the Configuration Model: setting to Enabled.
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates option.
- Select the Update certificates that use certificate templates option.
- Click OK to save the Group Policy setting and close the Certificate Services client – Auto-Enrollment Properties window.
- Close the Group Policy Management Editor window.
- In the Group Policy Management window, in the left navigation pane, select the Domain Controllers OU.
- Right-click the Domain Controllers OU and select Link an Existing GPO… from the context menu.
The Select GPO pop-up window appears. - Select the newly created GPO from the list of Group Policy objects:.
- Click OK.
As the group policy setting is enabled within the Computer Configuration part of the GPO, the Domain Controller will automatically enroll certificates that are configured for autoenrollment, when:
- The server reboots
- A group policy background refresh occurs
- When you perform the following command: certutil.exe –pulse
Concluding
Update your Domain Controllers to the 20s and create a Certificate Template that allows the Windows Hello for Business hybrid scenarios.
Hello,
I am completely lost, our CA does not seem to renew the KDC and our WHfB always gives the error Status 0xc000005e even after following this TODO… If only I could have the help of an expert
Hi Alexis,
Is the remain validity time of the issuing Certification Authority (CA) longer than the period for which you want issue certificates? If not, renew the certificate for all CAs in the chain that have CA certificates expiring within the time frame for which you want to deploy certificate.
Is the encryption strength of the key material for all CAs in the chain at a minimum SHA-2 (or up)? In previous versions, the private key for certificates defaulted to 1024 bit key length and SHA-1 (this was addressed in Windows Server 2022). If not, upgrade all CAs in the chain that have SHA-1 and 1024 bit lengths to use SHA-2 certificates with at least a 2048 bit key length (or longer).
Thank you, Sander,
I have another quick question for you;
When you say Change certificate authority value for at least Windows Server 2008 R2, specifying the oldest version of Windows Server acting as the certificate authority that will issue this certificate template. The Modify Preview window appears. Click OK to close it.
Is there any reason not to select Windows server 2016 and Win 10 / Windows server 2016 in the compatibility page?
When you say With these steps completed, disable the superseded certificate templates.
you mean delete the old template?
Deleting templates is pretty rigorous.
Simply disabling them to be issued by your CA(s) is sufficient and keeps the templates in the list of superseded certificate templates.
Great article. Question, how do you disable the old templates? I'm not readily seeing that option.
Straight from the 'Managing certificates' chapter of my Active Directory Administration Cookbook titled 'Removing a certificate template':
On Enterprise CAs, the Active Directory integration offers certificate templates functionality. These templates define the certificates that are issued by the CA. Use this recipe to remove a certificate template to issue from an enterprise CA.
Sign in to the Enterprise CA with a domain account that is a member of the Enterprise Admins group and perform the following steps to manage certificate templates:
The Certification Authority window appears.
The main pane lists the certificate templates that this CA issues certificates for. Usual certificate templates that are available by default include User, Computer and Web Server templates.
This will not delete the certificate template or any certificates issued based on the template, but merely stops offering the certificate template as requestable.
Alternatively, you can use Windows Powershell on a Windows Server installation configured as a CA to remove a certificate template:
Remove-CATemplate -Name "Name of no longer needed certificate"
Certificate templates act as templates for certificates. Certificate templates are stored in Active Directory.
The Certificate Templates node in the Certification Authority management console provides a list of the certificate templates that can be requested from the CA and, thus, can be issued from the CA.
You might want to remove a certificate template for a CA, when you don’t want a particular CA issuing that type of certificate. Another CA can then be used to issue that type of certificate. This is useful when you want to start issuing user certificates from a new CA with an optimized CRL distribution point or when you want dedicated CAs for certain types of certificates.
I am moving to a new certificate infrastructure and I had some helps from a MSP to build it. I noticed that the new Kerberos certificate was not set to superseed the Domain Controller and Domain Controller Authentication; should I set that on the new Kerberos template?
Also, should disable the Domain Controller and Domain Controller Authentication templates? If I can not, should I set those to be issued by my new CA? If we are not using smartcard for login are those used at all?
Domain Controllers are hardwired to enroll a Domain Controller certificate template. Superseding this template with the new template instructs the logic to enroll the new certificate as far back as Windows Server 2003-based Domain Controllers. Without superseding configured, the Domain Controller will enroll the Domain Controller certificate template, but not the superseding template. It is simply not instructed to do so.
Yes, superseding is configured on the new certificate template.
You can disable publishing the 'Domain Controller' certificate template, as superseded certificate templates do not need to be published.
Smartcard authentication is not used in the world of physical smart cards. Smartcard authentication is also used in Windows Hello for Business, virtual smartcard and other scenarios.