Editing the NTAuthCertificates object in Active Directory

Author Uwe GradeneggerPosted on Categories Active Directory, Security, Smartcard, Certification AuthorityTags , ,

In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.

For an overall structure named intra.adcslabor.de, the object is located in the following LDAP path:

CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de

The certification authority certificates are automatically entered into the object during the installation of certification authorities integrated into Active Directory (Enterprise Certification Authority).

The NTAuthCertificates object is used in the Windows ecosystem to authorize certificate authorities for certificate-based logins. This includes, among others:

FunctionDescription
Enroll on Behalf Of (EOBO)The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates.
Key Recovery / Private Key ArchivingThe CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates.
Smartcard LogonThe CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates.
Windows Hello for BusinessIdentical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered.
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN).The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates.
EFS File Recovery AgentsThe CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates.
IIS Client Certificate Mapping (against Active Directory)The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates.
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode onlyOnly affects renewal mode, i.e. signing a certificate request with an existing certificate.
The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates.

See also article "Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)„.

Certificate authorities that do not serve such logon forms can be safely removed from the object. Since the CA certificates are stored as an ASN.1 encoded byte array, and one cannot see the contents of the certificates, the ADSI editor is less suitable for this.

Instead, the Enterprise PKI tool (pkiview.msc) should be downloaded from the Remote Server Administration Tools (RSAT) for the Certification Authority can be used. In this program there is an option "Manage AD Containers".

Enterprise Administrator or appropriately delegated permissions are required for this step.

In the tab NTAuthCertificates all CA certificates that are not needed can be removed.

Please note that Certification Authorities, in the absence of one of their certification authority certificates, will not issue the Event no. 93 in the event log, which of course can be deliberately ignored in this case.

Related links:

External sources

22 thoughts on “Bearbeiten des NTAuthCertificates Objektes im Active Directory”

  1. Pingback: Using Authentication Mechanism Assurance (AMA) to secure administrative account logins - Uwe Gradenegger
  2. Pingback: Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)" - Uwe Grad
  3. Pingback: Domain controller does not check extended key usage on smartcard login - Uwe Gradenegger
  4. Pingback: Attack vector on Active Directory directory service via smartcard logon mechanism - Uwe Gradenegger
  5. Pingback: What requirements must be met on the infrastructure side for smartcard logins to be possible? - Uwe Gradenegger
  6. Pingback: Is there a dependency of the Network Device Enrollment Service (NDES) with the NTAuthCertificates object? - Uwe Gradenegger
  7. Pingback: Details about the event with ID 21 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  8. Pingback: The installation of a certification authority certificate fails with error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)" - Uwe Gradenegger
  9. Pingback: Signing certificates by bypassing the certification authority - Uwe Gradenegger
  10. Pingback: Details about the event with ID 93 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  11. Pingback: Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UN
  12. Pingback: Basics: Enroll on Behalf of (EOBO) - Uwe Gradenegger
  13. Pingback: Classification of ADCS components in the Administrative Tiering Model - Uwe Gradenegger
  14. Pingback: Changing the subject of a certificate request (CSR) - Uwe Gradenegger
  15. Pingback: From Zero to Enterprise Administrator through the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  16. Pingback: Limits of Microsoft Active Directory Certificate Services - Uwe Gradenegger
  17. Pingback: Changes to certificate issuance and certificate-based logon to Active Directory with the May 10, 2022 patch for Windows Server (KB5014754) - Uwe Gradenegger
  18. Pingback: Basics: Authentication methods for the Internet Information Services (IIS) - Uwe Gradenegger
  19. Pingback: Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates - Uwe Gradenegger
  20. Pingback: Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified." - Uwe Gradenegger
  21. Pingback: Basics Network Device Enrollment Service (NDES) - Uwe Gradenegger
  22. Pingback: Prevent smartcard login in the network - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish