Enabling Strict KDC Validation in Windows Kerberos.docx
24
Enabling Strict KDC Validation in Windows Kerberos Microsoft Corporation Published: July 2010 Version 1.1 Abstract This article describes how a Kerberos deployment can be configured to meet certain conditions that help assure that smart card users are authenticating against a valid Kerberos domain controller. This article applies to Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server 2008 R2.
Transcript of Enabling Strict KDC Validation in Windows Kerberos.docx
Enabling Strict KDC Validation in Windows Kerberos
Enabling Strict KDC Validation in Windows Kerberos
Microsoft Corporation
Published: July 2010
Version 1.1
Abstract
This article describes how a Kerberos deployment can be configured to meet certain conditions that help assure that smart card users are authenticating against a valid Kerberos domain controller. This article applies to Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2010 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Background4
What Is Strict KDC Validation?4
Requirements to Ensure Strict KDC Validation4
Client support for the Require strict KDC validation setting5
Domain controller and CA support for autoenrollment of the Kerberos Authentication certificate5
DC using Kerberos Authentication certificate5
Validation6
Check if the domain policy has Require strict KDC validation enabled6
Check if CA has Kerberos Authentication template enabled:7
Check if the domain controller has the Kerberos Authentication KDC Certificate9
Causes for Smart Card Authentication Failures10
Problem: Cross Forest smartcard logon is failing but domain smart card logon succeeds10
Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store of the forest where the computer is domain-joined10
Problem: KDC does not have KDC certificate based on Kerberos Authentication certificate templates10
Solution: Explicitly enroll for a KDC certificate by using the Certificate MMC10
Solution: Triggering autoenrollment using CertUtil.exe15
Solution: Configuring autoenrollment17
Problem: CA cannot issue KDC certificates based on Kerberos Authentication certificate templates17
Solution: Adding the Kerberos Authentication Template using Certificate Authority Snap-in:17
Solution: Adding the Kerberos Authentication Template using CertUtil:19
Problem: KDC has older KDC certificates20
Solution: Revoking Domain Controller and Domain Controller Authentication certificates20
Solution: Removing Domain Controller and Domain Controller Authentication certificate templates on a CA20
Background
By default, Windows client computers using Kerberos authentication with smart card logon do not validate and require the key distribution center (KDC) Extended Key Usage (EKU). Although support was added in Windows Vista to enforce strict KDC validation, this functionality cannot be enabled by default because it would cause authentication failures until configuration preconditions are met. This article describes how a Kerberos deployment can be configured to meet these preconditions that help assure that the smart card user is authenticating against a valid Kerberos domain controller.
What Is Strict KDC Validation?
Strict KDC validation is a more restrictive set of criteria that must be met by a KDC for successful authentication. This functionality is controlled by a Group Policy setting called Require strict KDC validation, which was added in Windows Vista. A system with this policy enabled will validate certificate-based AS-REP messages from domain controllers by ensuring that all of the following are met:
The domain controller has the private key for the certificate provided.
For domain-joined systems, the certification authority (CA) that issued the KDCs certificate is in the NTAuth store.
For non-domain-joined systems, the root CA of the KDCs certificate is in the Third-Party Root CA or Smart Card Trusted Roots store.
KDCs certificate has the KDC EKU.
KDC certificates DNSName field of the subjectAltName (SAN) extension matches the DNS name of the domain.
Because enabling this policy before all smart card users account domain controllers are using such a certificate will result in smart card users unable to authenticate, it is critical to validate prior to deploying the policy. KDCs use only one certificate, which is selected when the KDC service starts. This means if another certificate is obtained after the KDC service starts that new certificate will not be used.
Requirements to Ensure Strict KDC Validation
For an organization to have an environment that does not experience smart card user authentication failures for existing users and ensures domain-joined systems adhere to the additional strict KDC validation policy when using smart card authentication, the following are required:
All domain policies have the Computer Configuration\Administrative Templates\System\Kerberos\Require strict KDC validation Group Policy setting enabled.
All Windows smart card clients support the Require strict KDC validation policy setting.
All domain controllers and CAs that are set up to issue domain controller certificates support autoenrollment of KDC certificates based on Kerberos Authentication certificate templatesNote: Manual enrollment is possible but requires regular administrator action to ensure that KDC certificates are kept up to date.
All domain controllers have only the KDC certificate based on Kerberos Authentication certificate templates for the KDC certificate since the KDC was last started.
Client support for strict KDC validation
The following table lists the versions of Windows that support Smart Card authentication and can be configured to support strict KDC validation.
Client Version
Strict KDC Validation available?
Windows Vista
Yes
Windows Server 2008
Yes
Windows 7
Yes
Windows Server 2008 R2
Yes
When the Require strict KDC validation Group Policy setting is enabled, the Kerberos client on domain-joined systems will fail smart card (and other certificate) initial authentication (AS-REP) when strict KDC validation fails.
Domain controller and CA support for autoenrollment of the Kerberos Authentication certificate
The following table lists the versions of Windows that support auto-renewal for the KDC certificate based on Kerberos Authentication certificate templates.
Certificate Authorities
DC
Windows Server 2008 RTM
Windows Server 2008 SP2
Windows Server 2008
Windows Server 2003
No,
manual enrollment required
Yes
Yes
Windows Server 2008
No,
manual enrollment required
Yes
Yes
Windows Server 2008 R2
Yes
Yes
Yes
Ensure that at least one CA is set up to issue the Kerberos Authentication template and that Domain Controller and Domain Controller Authentication templates are not issued by any CAs.
Domain controllers using Kerberos Authentication certificate
KDCs use only one certificate, which is selected when the KDC service starts. This means if another certificate is obtained after the KDC service starts that new certificate will not be used. Additionally, the following requirements must be met:
Ensure all domain controllers are configured with valid certificate based on the Kerberos Authentication templates or containing the KDC EKU.
Ensure all domain controllers have no Domain Controller or Domain Controller Authentication certificates.
To assure success, the KDC service must be restarted after obtaining the certificate with the KDC EKU.
ValidationCheck if the domain policy requires strict KDC validation
1. Open the Group Policy Management Console.Figure 1: Windows Server 2008 R2 Administrative Tools
2. Right-click Default Domain Policy, and click Edit.Figure 2: Windows Server 2008 R2 Group Policy Management Console
3. Click Show for Administrative Templates.Figure 3: Windows Server 2008 R2 Default Domain Policy
4. Click Show for System/Kerberos.
5. Require strict KDC validation should be Enabled.Figure 4: Windows Server 2008 R2 with Require strict KDC validation enabled
Check if the CA has the Kerberos Authentication template enabled:
1. Open the Certification Authority snap-in.
2. Click Certificate Templates.
3. Kerberos Authentication should be listed in the right pane.Figure 5: Windows Server 2008 R2 CA with Kerberos Authentication template enabled
Check if the domain controller has the Kerberos Authentication KDC certificate
To discover the KDC certificates for a given domain controller:
1. Open an administrator Command Prompt.
2. Type certutil.exe -DCInfo.
If the domain controller has one KDC certificate, then one KDC Certificate in MY store will be returned.Figure 6: Windows Server 2008 R2 domain controller with one KDC Kerberos Authentication certificate
If the certificate is based on a Kerberos Authentication template, then it will be stated in the Template field.
If the domain controller has multiple KDC certificates, then information for each certificate will be returned.
Figure 7: Windows Server 2008 R2 domain controller with multiple KDC certificates
Causes for Smart Card Authentication FailuresProblem: Cross-forest smart card logon is failing but domain smart card logon succeedsSolution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store of the forest where the computer is domain-joined
Details for adding issuing CAs to the NTAuth store can be found in the Cross-forest Certificate Enrollment with Windows Server 2008 R2 whitepaper.
Problem: KDC does not have KDC certificate based on Kerberos Authentication certificate templates
For the KDC to successfully authenticate a smart card user requiring strict KDC validation, the KDC must be using a certificate with the KDC EKU. This requires both a Kerberos Authentication certificate and a restart of the KDC service.
There are three possible solutions:
To manually get a certificate:
Solution: Explicitly enroll for a KDC certificate by using the Certificates snap-in
If autoenrollment is configured:
Solution: Trigger autoenrollment by using Certutil.exe
If autoenrollment is not configured:
Solution: Configure autoenrollment then Solution: Trigger autoenrollment by using Certutil.exe
Solution: Explicitly enroll for a KDC certificate by using the Certificates snap-in
1. Open the Certificates snap-in. On the File menu, click Add/Remove snap-in.
2. In the Add or Remove Snap-ins dialog box, select Certificates, click Add, and then click OK.Figure 8: Windows Server 2008 R2 domain controller adding snap-in
3. In the Certificates snap-in dialog box, click Computer account, and click Next.Figure 9: Windows Server 2008 R2 domain controller selecting type
4. In the Select Computer dialog box, click Local computer, and click Finish.Figure 10: Windows Server 2008 R2 domain controller selecting computer
5. Open Personal, and right-click Certificates.
6. Select All Tasks.
7. Select Request New Certificate.Figure 11: Windows Server 2008 R2 domain controller manually enrolling
8. Click Next.Figure 12: Windows Server 2008 R2 domain controller manually enrolling
9. Select Active Directory Enrollment Policy, and click Next.Figure 13: Windows Server 2008 R2 domain controller selecting Active Directory Enrollment Policy
10. Select the Kerberos Authentication check box, and click Enroll.Figure 14: Windows Server 2008 R2 domain controller selecting template
If Kerberos Authentication is not available, then check if the Kerberos Authentication template is available on CAs that issue KDC certificates. If the template is enabled, then ensure that domain controllers have Enroll permission and Autoenroll permission.
Confirm that the domain controller has the Kerberos Authentication KDC certificate:
1. Open an administrator Command Prompt.
2. Type certutil.exe -DCInfo.
If the domain controller has a KDC Kerberos Authentication KDC certificate, then information for the certificate will be returned where Kerberos Authentication is in the Template field.
Figure 15: Windows Server 2008 R2 domain controller with KDC Kerberos Authentication certificate
Restart the KDC service:
3. Type net stop KDC.
4. After the KDC service is stopped, type net start KDC.
Figure 16: Windows Server 2008 R2 domain controller restarted
Solution: Trigger autoenrollment by using Certutil.exe
Pulse the domain controller autoenrollment:
1. Open an administrator Command Prompt.
2. Type certutil.exe -pulse.Figure 17: Windows Server 2008 R2 domain controller triggering autoenrollment
Confirm the domain controller has the Kerberos Authentication KDC certificate:
3. Type certutil.exe -DCInfo.
If the domain controller has a KDC Kerberos Authentication KDC certificate, then information for the certificate will be returned where Kerberos Authentication is in the Template field.
Figure 18: Windows Server 2008 R2 domain controller with KDC Kerberos Authentication certificate
Restart the KDC service:
4. Type net stop KDC.
5. After the KDC service is stopped, type net start KDC.
Figure 19: Windows Server 2008 R2 domain controller restarted
Solution: Configure autoenrollment
Setting up ACLs and Group Policy for autoenrollment is documented here: http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx.
Setting up ACLs programmatically can be done with the template API. An example is documented here: http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx.
Problem: CA cannot issue KDC certificates based on Kerberos Authentication certificate templates
To issue certificates based on the Kerberos Authentication template, the template must be enabled.
Either the Certificate Authority snap-in or Certutil can be used.
Solution: Add the Kerberos Authentication Template by using the Certificate Authority snap-in:
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates.
3. Point to New.
4. Click Certificate Template to Issue.Figure 20: Windows Server 2008 R2 CA adding new template
5. In the Enable Certificate Templates dialog box, select Kerberos Authentication, and click OK.Figure 21: Windows Server 2008 R2 CA selecting template
6. Now Kerberos Authentication is listed in the right pane.Figure 22: Windows Server 2008 R2 CA with Kerberos Authentication template
Solution: Add the Kerberos Authentication Template by using Certutil:
Add the Kerberos Authentication template:
1. Open an administrator Command Prompt.
2. Type Certutil.exe -config .\ -setcatemplates +KerberosAuthentication where is the machine name of the CA, is the DNS domain name, and is the common name of the CA.
Figure 23: Windows Server 2008 R2 CA adding template with certutil
Problem: KDC has older KDC certificates
KDCs use only one certificate, which is selected when the service starts; that means if a new certificate is obtained after the KDC service starts, that newer certificate will not be used. To ensure that the Kerberos Authentication certificate on a domain controller is always used, there should be no Domain Controller and Domain Controller Authentication certificates in use, which means revoking any existing certificates and ensuring CAs do not issue certificates based on the older templates.
Before removing the older certificates, ensure the DC has a certificate based on the Kerberos Authentication templates or smart card authentication will not be supported by this domain controller. If the domain controller does not have a certificate based on the Kerberos Authentication certificate template, then see Problem: KDC does not have KDC certificate based on Kerberos Authentication certificate templates.
Solution: Revoke Domain Controller and Domain Controller Authentication certificates
First query the CA database to find all certificates based on the Domain Controller and Domain Controller Authentication templates that are still time valid and get a list of serial numbers. Use a query similar to http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx by using template=DomainController and template=DomainControllerAuthentication.
Then, use the list with the certutil -revoke command.
Solution: Remove Domain Controller and Domain Controller Authentication certificate templates on a CA
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates.
3. Click Delete.Figure 24: Windows Server 2008 R2 CA deleting template
4. In the Disable certificate templates dialog box, click Yes.
Figure 25: Windows Server 2008 R2 CA confirming disabling template
- 21 -
