In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:
Category: Certificate usage
Removing ADCS-specific extensions from certificates
When using Active Directory Certificates, it is noticeable that there are certain extensions in the certificates of the certification authorities and the certificates they issue that are not defined in the relevant RFCs and are specific to AD CS.
Description of the EDITF_ADDOLDKEYUSAGE flag
When installing a subordinate certificate authority, you may encounter the following behavior:
- One requests a Key Usage extension that is marked as critical, for example, or does not include DigitalSignature.
- However, the certificate issued by the parent certificate authority includes DigitalSignature, and the Key Usage extension is marked as non-critical.
- The parent certification authority is a standalone certification authority, i.e. without Active Directory integration.
How secure is the "Allow private key to be exported" setting in the certificate templates?
PKI administrators often assume that the option in the certificate template to not allow the private key for export is mandatory.
Continue reading „Wie sicher ist die Einstellung „Allow private key to be exported“ in den Zertifikatvorlagen?“Importing a certificate into a smart card
Sometimes it is necessary to import a certificate that uses a software key into a smart card.
Overview of the different generations of domain controller certificates
Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.
- Domain controller
- Domain Controller Authentication
- Kerberos Authentication
Below is a description of each template and a recommendation for configuring domain controller certificate templates.
Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- Domain controllers have certificates for LDAP over SSL.
- The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
- If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Manual application for a domain controller certificate
There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".
Here's the scenario:
- Requesting a certificate for a domain controller fails.
- On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““