Prevent smartcard login in the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Under what circumstances is the smartcard logon functionality enabled?

When installing an Active Directory integrated certificate authority, its certificate authority certificate is copied to the NTAuthCertificates object in Active Directory forest. This step marks the certificate authority as usable for certificate-based logins in the environment, which includes smartcard logon.

If the publication of the default certificate templates is not prevented during the installation, the certification authority automatically provides the "domain controller" certificate template, which is then also automatically requested by the domain controllers.

Also, if, the publishing of the default certificate templates was prevented during the installation, but another one of the default domain controller certificate templates is published, this will lead to the same result. See also article "Domain Controller Certificate Templates and Smartcard Logon„.

Ways to disable the smartcard logon functionality

The following options are available to render the smartcard logon functionality unusable:

Operate domain controller without certificates
Distribute customized domain controller certificates
Remove certificate authorities from NTAuthCertificates object
Restrict certification authority certificates

Details: Operating domain controllers without certificates

It is of course possible to operate the domain controllers without certificates, i.e. not to offer them a certificate template for requesting certificates.

The disadvantage here, however, is that LDAP over SSL (LDAPS) connections cannot then be offered either. This is not practical in most cases.

Details: Distribute customized domain controller certificates

It is possible to issue certificates to domain controllers that allow them to accept LDAP over SSL (LDAPS) connections, but at the same time not to be able to process smartcard logins.

For the configuration of such a certificate template, see the article "Configuring a Certificate Template for Domain Controllers„.

A domain controller will receive the events 19 and 29 log when a logon is made via smartcard. This event can therefore be followed by an alert.

Details: Remove certificate authorities from NTAuthCertificates object

It is possible to remove the certificate authority certificate from the NTAuthCertificates object of the Active Directory forest after installing the certificate authority. See the article "Editing the NTAuthCertificates object in Active Directory„.

The disadvantage with this method, however, is that some functions depend on the presence of the certificate authority certificate in NTAuthCertificates:

Function	Description
Enroll on Behalf Of (EOBO)	The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates.
Key Recovery / Private Key Archiving	The CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates.
Smartcard Logon	The CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates.
Windows Hello for Business	Identical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered.
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN).	The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates.
EFS File Recovery Agents	The CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates.
IIS Client Certificate Mapping (against Active Directory)	The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates.
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode only	Only affects renewal mode, i.e. signing a certificate request with an existing certificate. The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates.

Details: Restrict certification authority certificates

The disadvantage with this method, however, is that domain controllers in the default configuration do not check the restrictions on the certification authority certificate. While it is possible to customize the configuration of the domain controllers, a residual risk remains here as well, depending on which restrictions are defined on the certification authority certificate. For more details, see the article "Domain controller does not check extended key usage on smart card login„.

Conclusion

It is possible to adjust the environment so that smartcard logins are no longer possible. However, almost every method listed has disadvantages.

Probably the best option with the fewest drawbacks is to distribute customized domain controller certificates so that they cannot process smart card logins - unless this feature is used.

If the use of Smartcard Logon or Windows Hello for Business is required, it makes sense to think about using OCSP in conjunction with deterministic "Good". See article "Force domain controller (or other participants) to use an online responder (OCSP)„.

Prevent smartcard logon to the network