Domain Controller Certificate Templates and Smartcard Logon

Author Uwe GradeneggerPosted on Categories Active Directory, Security, Smartcard, Certificate usageTags , , , ,

In order for domain controllers to process smart card logins, they need certificates that provide this function.

One of the following conditions must be met by the Domain controller certificate must be fulfilled for it to be usable for smartcard registration:

  • The string "DomainController" in the certificate template name extension (This extension is only available in certificate templates version 1).
  • The smartcard logon (1.3.6.1.4.1.311.20.2.2) OID in the Extended Key Usages extension.
  • The KDC Authentication (1.3.6.1.5.2.3.5) OID in the Extended Key Usages extension.

Microsoft uses the term "Enhanced Key Usage", the correct name according to RFC 5280 is "Extended Key Usage"..

The extension "certificate template name" is included only in version 1 certificate templates from Windows 2000 times. The only certificate template that has this extension filled with the string "DomainController" is the version 1 template with the same name. These certificate templates do not yet support AutoEnrollment, so until today's Windows Server 2019, there is code in the KDC that ensures that these certificates are requested by domain controllers if there is a certificate authority on the network that offers them.

The Extended Key Usage "Smartcard Logon" was introduced with the "Domain Controller Authentication" certificate template with Windows Server 2003. It was used both on client side (user certificate) and on server side (domain controller certificate).

The Extended Key Usage "KDC Authentication" was introduced with the "Kerberos Authentication" certificate template with Windows Server 2008. It allowed a separation between the server part (KDC Authentication in the domain controller certificate) and the client part (Smartcard Logon in the user certificate).

Below are some examples of how the KDC process behaves in conjunction with the different certificate types.

Default Domain Controller Certificate Template

This certificate template is characterized by the fact that the resulting certificate contains the following Extended Key Usages:

  • Server Authentication
  • Client Authentication

In addition, since it is a schema version 1 certificate template, it also includes a "Certificate Template Name" extension which includes the value "DomainController".

Smartcard enrollment works with this certificate, but it will use the Event no. 32 is logged in the event viewer of the domain controller, which indicates that the certificate does not include the "KDC Authentication" Extended Key Usage and thus compatibility problems may occur.

Default Domain Controller Authentication Certificate Template

This certificate template is characterized by the fact that the resulting certificate contains the following Extended Key Usages:

  • Server Authentication
  • Client Authentication
  • Smartcard Logon

Since this is a schema version 2 certificate template, there is no "certificate template name" extension included.

Smartcard enrollment works with this certificate, but it will use the Event no. 32 is logged in the event viewer of the domain controller, which indicates that the certificate does not include the "KDC Authentication" Extended Key Usage and thus compatibility problems may occur.

Standard certificate template "Kerberos Authentication

This certificate template is characterized by the fact that the resulting certificate contains the following Extended Key Usages:

  • Server Authentication
  • Client Authentication
  • Smartcard Logon
  • KDC Authentication

Since this is a schema version 2 certificate template, there is no "certificate template name" extension included.

Smartcard enrollment works with this certificate, and no warnings are logged in the domain controller event viewer.

Customized certificate template based on "Kerberos Authentication", but without the Smartcard Logon Extended Key Usage

This certificate template is characterized by the fact that the resulting certificate contains the following Extended Key Usages:

  • Server Authentication
  • Client Authentication
  • KDC Authentication

Since this is a schema version 2 certificate template, there is no "certificate template name" extension included.

Smartcard logon works with this certificate, and no warnings are logged in the event display of the domain controller. This certificate template thus meets all the minimum requirements for error-free processing of smartcard logons.

Customized Certificate Template Based on Domain Controller

This certificate template is characterized by the fact that the resulting certificate contains the following Extended Key Usages:

  • Server Authentication
  • Client Authentication

Unlike the original certificate template, however, it does not include a "certificate template name" extension, since it is a schema version 2 certificate template that is identified by OID rather than name.

This certificate template cannot be used by the KDC for Smartcard Logon. The events no. 19 and 29 logged in the domain controller event log when a user tries to log in by smart card:

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

For a user logging in, the error manifests itself with the error message: "Signing in with a security device isn't supported for your account. For more info, contact your administrator.

So which certificate template should be used for domain controllers?

Basically, a custom template should be created from the Kerberos Authentication certificate template.

Although not directly relevant to smartcard enrollment, only the "Kerberos Authentication" certificate template includes the CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS flag, which ensures that the fully qualified domain name and NETBIOS name of the domain are entered into the Subject Alternative Name (SAN) extension of the domain controller certificate.

The following changes can be made.

  • If you want to prevent the domain controllers from accepting smartcard logons, this can be achieved by removing the two extended key usages for "Smartcard Logon" and "KDC Authentication".
  • Also, if the domain controllers are to process smartcard logons, the "Smartcard Logon" Extended Key Usage can be removed, since the server-side part of the smartcard logon is mapped by the "KDC Authentication" Extended Key Usage.

Related links:

External sources

19 thoughts on “Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung”

  1. Pingback: Details about the event with ID 32 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  2. Pingback: Details about the event with ID 19 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  3. Pingback: Overview of the different generations of domain controller certificates - Uwe Gradenegger
  4. Pingback: What requirements must be met on the infrastructure side for smartcard logins to be possible? - Uwe Gradenegger
  5. Pingback: Using Authentication Mechanism Assurance (AMA) to secure administrative account logins - Uwe Gradenegger
  6. Pingback: certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)" - Uwe Gradenegger
  7. Pingback: Manual application for a domain controller certificate - Uwe Gradenegger
  8. Pingback: Details about the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  9. Pingback: Signing certificates by bypassing the certification authority - Uwe Gradenegger
  10. Pingback: Certification Authority and Active Directory compromise via Certification Authority Web Enrollment (CAWE) - Uwe Gradenegger
  11. Pingback: Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)" - Uwe Gradenegger
  12. Pingback: Prevent smartcard login in the network - Uwe Gradenegger
  13. Pingback: Signing in via smartcard fails with error message "Signing in with a security device isn't supported for your account." - Uwe Gradenegger
  14. Pingback: From Zero to Enterprise Administrator through the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  15. Pingback: Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined." - Uwe Gradenegger
  16. Pingback: Details about the event with ID 200 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center - Uwe Gradenegger
  17. Pingback: Details about the event with ID 47 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll - Uwe Gradenegger
  18. Pingback: Changes to certificate issuance and certificate-based logon to Active Directory with the May 10, 2022 patch for Windows Server (KB5014754) - Uwe Gradenegger
  19. Pingback: Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified." - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish