none
Microsoft CA DC authentication certificate or kerbros authentication RRS feed

  • Question

  • Hello All,

    We are replacing 1024 bit DC authentication certificate to 2048 bit certificate, should we go for kerbores authentication certificate or DC authentication certificate, also since we doing it in AD we just want to test it the new certificate is working or not please advice how to test authentication is working properly or not.

    Regards

    Mahesh

    Tuesday, July 23, 2019 2:14 PM

Answers

  • Recommended to use Kerberos Authentication as the template. It adds in the netbios and DNS domain names to the certificate.

    Brian

    Tuesday, July 23, 2019 3:54 PM

All replies

  • Recommended to use Kerberos Authentication as the template. It adds in the netbios and DNS domain names to the certificate.

    Brian

    Tuesday, July 23, 2019 3:54 PM
  • Hello,
    Thank you for posting in our TechNet forum.
    Our Domain Controllers by default will use one of the 3 built-in certificate templates for LDAP over TLS purposes. These templates were introduced consecutively with each OS release. The templates are the:

    Domain Controller (Windows Server 2000)
    Domain Controller Authentication (Windows Server 2003)
    Kerberos Authentication (Windows Server 2008 and above)

    Our modern domain controllers can use any one these 3 certificate templates, however we really want your DC's to be using the Kerberos Authentication template. By default, it includes multiple SAN entries that represent the Domain Controller, Active Directory Domain FQDN and the Active Directory NetBIOS name. Additionally it contains a new Enhanced Key Usage to allow strict KDC validation to be enabled on all modern clients that are performing smart-card based (PKINIT) logons.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 24, 2019 7:30 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 26, 2019 11:01 AM
    Moderator
  • Thanks Brian
    Monday, July 29, 2019 6:08 AM
  • Thanks Daisy
    Monday, July 29, 2019 6:08 AM
  • How I can test if the issued certificate is working or not? just login to any client success means we can consider this is working?
    Monday, July 29, 2019 6:09 AM
  • Hi,
    We can run the command on the machine where the certificate is stored to verify the validity of the certificate:
    certutil -f –urlfetch -verify mycertificatefile.cer

    For example, if the certificate is stored in C:\
    mycertificatefile.cer, we can run:
    certutil -f –urlfetch -verify C:\mycertificatefile.cer




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 29, 2019 9:12 AM
    Moderator
  • Thanks Daisy
    Thursday, August 1, 2019 7:03 AM
  • Hi,
    You are welcome.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you! 

    Have a nice day!

     

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 14, 2019 9:37 AM
    Moderator