Professional Documents
Culture Documents
Microsoft Corporation
Published: July 2010
Version 1.1
Abstract
This article describes how a Kerberos deployment can be configured to meet certain
conditions that help assure that smart card users are authenticating against a valid
Kerberos domain controller. This article applies to Windows Vista , Windows
Server 2008, Windows 7, and Windows Server 2008 R2.
Information in this document, including URL and other Internet Web site references,
is subject to change without notice. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places,
and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft, Windows, Windows Server, and Windows Vista are trademarks of the
Microsoft group of companies.
Background................................................................................................................ 4
What Is Strict KDC Validation?.................................................................................... 4
Requirements to Ensure Strict KDC Validation............................................................4
Client support for the Require strict KDC validation setting.................................5
Domain controller and CA support for autoenrollment of the Kerberos
Authentication certificate........................................................................................ 5
DC using Kerberos Authentication certificate..........................................................5
Validation.................................................................................................................... 6
Check if the domain policy has Require strict KDC validation enabled.................6
Check if CA has Kerberos Authentication template enabled:...................................7
Check if the domain controller has the Kerberos Authentication KDC Certificate....9
Causes for Smart Card Authentication Failures.........................................................10
Problem: Cross Forest smartcard logon is failing but domain smart card logon
succeeds............................................................................................................... 10
Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store
of the forest where the computer is domain-joined............................................10
Problem: KDC does not have KDC certificate based on Kerberos Authentication
certificate templates............................................................................................. 10
Solution: Explicitly enroll for a KDC certificate by using the Certificate MMC.....10
Solution: Triggering autoenrollment using CertUtil.exe......................................15
Solution: Configuring autoenrollment.................................................................17
Problem: CA cannot issue KDC certificates based on Kerberos Authentication
certificate templates............................................................................................. 17
Solution: Adding the Kerberos Authentication Template using Certificate
Authority Snap-in:.............................................................................................. 17
Solution: Adding the Kerberos Authentication Template using CertUtil:.............19
Problem: KDC has older KDC certificates...............................................................20
Solution: Revoking Domain Controller and Domain Controller Authentication
certificates......................................................................................................... 20
Solution: Removing Domain Controller and Domain Controller Authentication
certificate templates on a CA............................................................................. 20
Background
By default, Windows client computers using Kerberos authentication with smart card
logon do not validate and require the key distribution center (KDC) Extended Key
Usage (EKU). Although support was added in Windows Vista to enforce strict KDC
validation, this functionality cannot be enabled by default because it would cause
authentication failures until configuration preconditions are met. This article
describes how a Kerberos deployment can be configured to meet these
preconditions that help assure that the smart card user is authenticating against a
valid Kerberos domain controller.
The domain controller has the private key for the certificate provided.
For domain-joined systems, the certification authority (CA) that issued the
KDCs certificate is in the NTAuth store.
For non-domain-joined systems, the root CA of the KDCs certificate is in the
Third-Party Root CA or Smart Card Trusted Roots store.
KDCs certificate has the KDC EKU.
KDC certificates DNSName field of the subjectAltName (SAN) extension
matches the DNS name of the domain.
Because enabling this policy before all smart card users account domain
controllers are using such a certificate will result in smart card users unable to
authenticate, it is critical to validate prior to deploying the policy. KDCs use only
one certificate, which is selected when the KDC service starts. This means if
another certificate is obtained after the KDC service starts that new certificate will
not be used.
All domain controllers and CAs that are set up to issue domain controller
certificates support autoenrollment of KDC certificates based on Kerberos
Authentication certificate templates
Note: Manual enrollment is possible but requires regular administrator
action to ensure that KDC certificates are kept up to date.
All domain controllers have only the KDC certificate based on Kerberos
Authentication certificate templates for the KDC certificate since the KDC was
last started.
When the Require strict KDC validation Group Policy setting is enabled, the
Kerberos client on domain-joined systems will fail smart card (and other certificate)
initial authentication (AS-REP) when strict KDC validation fails.
DC
Windows Server
2003
Windows Server
2008
Windows Server
2008 R2
Windows
Server 2008
RTM
No,
manual
enrollment
required
No,
manual
enrollment
required
Yes
Certificate Authorities
Windows Server
Windows Server
2008 SP2
2008
Yes
Yes
Yes
Yes
Yes
Yes
Ensure that at least one CA is set up to issue the Kerberos Authentication template
and that Domain Controller and Domain Controller Authentication templates are not
issued by any CAs.
Ensure all domain controllers are configured with valid certificate based on
the Kerberos Authentication templates or containing the KDC EKU.
Ensure all domain controllers have no Domain Controller or Domain Controller
Authentication certificates.
To assure success, the KDC service must be restarted after obtaining the
certificate with the KDC EKU.
Validation
Check if the domain policy requires strict KDC validation
1. Open the Group Policy Management Console.
Figure 4: Windows Server 2008 R2 with Require strict KDC validation enabled
Figure 6: Windows Server 2008 R2 domain controller with one KDC Kerberos
Authentication certificate
If the certificate is based on a Kerberos Authentication template, then it will be
stated in the Template field.
If the domain controller has multiple KDC certificates, then information for each
certificate will be returned.
10
Figure 7: Windows Server 2008 R2 domain controller with multiple KDC certificates
If autoenrollment is configured:
Solution: Trigger autoenrollment by using Certutil.exe
11
12
13
15
16
Figure 15: Windows Server 2008 R2 domain controller with KDC Kerberos
Authentication certificate
Restart the KDC service:
3. Type net stop KDC.
4. After the KDC service is stopped, type net start KDC.
17
Figure 18: Windows Server 2008 R2 domain controller with KDC Kerberos
Authentication certificate
Restart the KDC service:
18
19
20
21
22
3. Click Delete.