updating DC certs to support WH4B

480 Views
Last Post 16 March 2019

ZJORZ posted this 15 March 2019

Hi, To support Windows Hello for Business, we need to update the cert template for our W2K12R2 DCs FROM: TO: Do you know what the impact (if any) is or could be when doing this? Thanks Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter

#Permalink
0
0
0

scripting

4 Comments

Order By: Standard | Newest | Votes

tcbep posted this 15 March 2019

I did this last year and had no issues. I followed the guide linked below.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)

Eric Pagan | CASP

Network Administrator

The Citizens Bank

1356 Gamble Street

Turbeville, SC 29162

(843) 657-2001 Ext. 7280

www.thecitizensbank.cc

“Solid Traditions. Smart Solutions”

5-Star Rated with Bauer Financial

#Permalink
0
0
0

paulhut posted this 15 March 2019

Hi Jorge,

The out of the box Domain Controller template allows Client Authentication and Server Authentication. In Windows Hello for Business this template is superseded by one whose use still contains Client Authentication and Server Authentication

and adds KDC Authentication and Smart Card login.

From the

docs it says:

“

By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography

configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the

Kerberos Authentication certificate template a baseline

to create an updated domain controller certificate template.

“

The superseding certificate improves the performance of the original DC certificate and maintains the same functionality as well as adds additional usage to allow WHfB to provision. In my own testing it still behaves like a DC cert.

Thanks, Paul

#Permalink
0
0
0

pradeeprawat85 posted this 15 March 2019

We did that few months back (to support WHFB), so far no issues reported. We have both 2012 R2 and 2016 DCs in our environment.

Thanks,

Pradeep Rawat, CISSP

From: "ActiveDir-owner@xxxxxxxxxxxxxxxx" <ActiveDir-owner@xxxxxxxxxxxxxxxx> on behalf of Eric Pagan <epagan@xxxxxxxxxxxxxxxx>

Reply-To: "ActiveDir@xxxxxxxxxxxxxxxx" <ActiveDir@xxxxxxxxxxxxxxxx>

Date: Friday, 15 March 2019 at 11:06 PM

To: "ActiveDir@xxxxxxxxxxxxxxxx" <ActiveDir@xxxxxxxxxxxxxxxx>

Subject: RE: [ActiveDir] updating DC certs to support WH4B

I did this last year and had no issues. I followed the guide linked below.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)

Eric Pagan | CASP

Network Administrator

The Citizens Bank

1356 Gamble Street

Turbeville, SC 29162

(843) 657-2001 Ext. 7280

www.thecitizensbank.cc

“Solid Traditions. Smart Solutions”

5-Star Rated with Bauer Financial

From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx>

On Behalf Of Jorge de Almeida Pinto [MVP-EMS]

Sent: Friday, March 15, 2019 1:08 PM

To: Jorge de Almeida Pinto [MVP-EMS] <jorge@xxxxxxxxxxxxxxxx>

Subject: [ActiveDir] updating DC certs to support WH4B

This message was sent by someone outside of The Citizens Bank. Please be cautious when opening attachments or clicking links.

Hi,

To support Windows Hello for Business, we need to update the cert template for our W2K12R2 DCs

FROM:

TO:

cid:image001.png@01D4DB33.92EBF7E0

cid:image003.png@01D4DB33.92EBF7E0

Do you know what the impact (if any) is or could be when doing this?

Thanks

Met Vriendelijke Groeten / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto

MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCT

MVP Profile

| Blog

| Facebook

| Twitter

DISCLAIMER: This message is intended only for specified recipients. If you are not the intended recipient you are notified that disclosing, copying, distributing, or taking any action in reliance on the contents of this information is strictly

prohibited. This communication represents the originator's personal views, which may not reflect those of The Citizens Bank. Security Warning: This message is being sent over an unsecured medium (the Internet). Recipients should not reply to this message with

sensitive or confidential account information. If the need arises to communicate sensitive or confidential account information, customers should visit or contact the nearest branch office. If you received this email in error, please immediately notify postmaster@xxxxxxxxxxxxxxxx.

#Permalink
0
0
0

slavickp posted this 16 March 2019

Hi Jorge – This would change the key storage provider while maintaining the RSA algorithm. I wouldn’t anticipate any negative impact from this. Regards Slav MCM-DS

#Permalink
0
0
0

updating DC certs to support WH4B

Categories

Search

Popular Tags

Hot Topics