updating DC certs to support WH4B

  • 26 Views
  • Last Post 4 days ago
ZJORZ posted this 4 days ago

Hi, To support Windows Hello for Business, we need to update the cert template for our W2K12R2 DCs FROM:                                                                                                                                  TO:                  Do you know what the impact (if any) is or could be when doing this? Thanks  Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

Order By: Standard | Newest | Votes
tcbep posted this 4 days ago

I did this last year and had no issues. I followed the guide linked below.



 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)



 



Eric Pagan | CASP


Network Administrator


The Citizens Bank

1356 Gamble Street

Turbeville, SC 29162

(843) 657-2001 Ext. 7280

www.thecitizensbank.cc

“Solid Traditions. Smart Solutions”

5-Star Rated with Bauer Financial



 

show

paulhut posted this 4 days ago

Hi Jorge,

 

The out of the box Domain Controller template allows Client Authentication and Server Authentication.  In Windows Hello for Business this template is superseded by one whose use still contains Client Authentication and Server Authentication

and adds KDC Authentication and Smart Card login.

 

From the

docs
it says:

 



By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography

configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the

Kerberos Authentication certificate template a baseline

to create an updated domain controller certificate template.



 

The superseding certificate improves the performance of the original DC certificate and maintains the same functionality as well as adds additional usage to allow WHfB to provision. In my own testing it still behaves like a DC cert.

 

Thanks, Paul

 

show

pradeeprawat85 posted this 4 days ago

We did that few months back (to support WHFB), so far no issues reported. We have both 2012 R2 and 2016 DCs in our environment.

 

 



Thanks,



Pradeep Rawat, CISSP

 

show

slavickp posted this 4 days ago

Hi Jorge –  This would change the key storage provider while maintaining the RSA algorithm. I wouldn’t anticipate any negative impact from this. Regards Slav MCM-DS 

show

Close