Enabling Strict KDC Validation in Windows Kerberos

Microsoft Corporation

Published: July 2010

Version 1.1

Abstract

This article describes how a Kerberos deployment can be configured to meet certain conditions that help assure that smart card users are authenticating against a valid Kerberos domain controller. This article applies to Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server 2008 R2.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2010 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

2

Background..................................................................................................................................................4

What Is Strict KDC Validation?.....................................................................................................................4

Requirements to Ensure Strict KDC Validation............................................................................................4

Client support for the “Require strict KDC validation” setting.................................................................5

Domain controller and CA support for autoenrollment of the Kerberos Authentication certificate.......5

DC using Kerberos Authentication certificate..........................................................................................5

Validation....................................................................................................................................................6

Check if the domain policy has “Require strict KDC validation” enabled.................................................6

Check if CA has Kerberos Authentication template enabled:..................................................................7

Check if the domain controller has the Kerberos Authentication KDC Certificate...................................9

Causes for Smart Card Authentication Failures.........................................................................................10

Problem: Cross Forest smartcard logon is failing but domain smart card logon succeeds....................10

Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store of the forest where the computer is domain-joined.........................................................................................................10

Problem: KDC does not have KDC certificate based on Kerberos Authentication certificate templates10

Solution: Explicitly enroll for a KDC certificate by using the Certificate MMC...................................10

Solution: Triggering autoenrollment using CertUtil.exe....................................................................15

Solution: Configuring autoenrollment...............................................................................................17

Problem: CA cannot issue KDC certificates based on Kerberos Authentication certificate templates...17

Solution: Adding the Kerberos Authentication Template using Certificate Authority Snap-in:.........17

Solution: Adding the Kerberos Authentication Template using CertUtil:...........................................19

Problem: KDC has older KDC certificates...............................................................................................20

Solution: Revoking “Domain Controller” and “Domain Controller Authentication” certificates........20

Solution: Removing “Domain Controller” and “Domain Controller Authentication” certificate templates on a CA..............................................................................................................................20

3

BackgroundBy default, Windows client computers using Kerberos authentication with smart card logon do not validate and require the key distribution center (KDC) Extended Key Usage (EKU). Although support was added in Windows Vista to enforce strict KDC validation, this functionality cannot be enabled by default because it would cause authentication failures until configuration preconditions are met. This article describes how a Kerberos deployment can be configured to meet these preconditions that help assure that the smart card user is authenticating against a valid Kerberos domain controller.

What Is Strict KDC Validation?Strict KDC validation is a more restrictive set of criteria that must be met by a KDC for successful authentication. This functionality is controlled by a Group Policy setting called Require strict KDC validation, which was added in Windows Vista. A system with this policy enabled will validate certificate-based AS-REP messages from domain controllers by ensuring that all of the following are met:

The domain controller has the private key for the certificate provided. For domain-joined systems, the certification authority (CA) that issued the KDC’s certificate is in

the NTAuth store. For non-domain-joined systems, the root CA of the KDC’s certificate is in the Third-Party Root

CA or Smart Card Trusted Roots store. KDC’s certificate has the KDC EKU. KDC certificate’s DNSName field of the subjectAltName (SAN) extension matches the DNS name

of the domain.

Because enabling this policy before all smart card users’ account domain controllers are using such a certificate will result in smart card users unable to authenticate, it is critical to validate prior to deploying the policy. KDCs use only one certificate, which is selected when the KDC service starts. This means if another certificate is obtained after the KDC service starts that new certificate will not be used.

Requirements to Ensure Strict KDC ValidationFor an organization to have an environment that does not experience smart card user authentication failures for existing users and ensures domain-joined systems adhere to the additional strict KDC validation policy when using smart card authentication, the following are required:

All domain policies have the Computer Configuration\Administrative Templates\System\Kerberos\Require strict KDC validation Group Policy setting enabled.

All Windows smart card clients support the Require strict KDC validation policy setting. All domain controllers and CAs that are set up to issue domain controller certificates support

autoenrollment of KDC certificates based on Kerberos Authentication certificate templatesNote: Manual enrollment is possible but requires regular administrator action to ensure that KDC certificates are kept up to date.

All domain controllers have only the KDC certificate based on Kerberos Authentication certificate templates for the KDC certificate since the KDC was last started.

4

Client support for strict KDC validationThe following table lists the versions of Windows that support Smart Card authentication and can be configured to support strict KDC validation.

Client Version Strict KDC Validation available?Windows Vista YesWindows Server 2008 YesWindows 7 YesWindows Server 2008 R2 Yes

When the Require strict KDC validation Group Policy setting is enabled, the Kerberos client on domain-joined systems will fail smart card (and other certificate) initial authentication (AS-REP) when strict KDC validation fails.

Domain controller and CA support for autoenrollment of the Kerberos Authentication certificateThe following table lists the versions of Windows that support auto-renewal for the KDC certificate based on Kerberos Authentication certificate templates.

Certificate Authorities

DCWindows Server

2008 RTMWindows Server 2008

SP2Windows Server 2008

Windows Server 2003 No,manual enrollment required

Yes Yes

Windows Server 2008 No,manual enrollment required

Yes Yes

Windows Server 2008 R2 Yes Yes Yes

Ensure that at least one CA is set up to issue the Kerberos Authentication template and that Domain Controller and Domain Controller Authentication templates are not issued by any CAs.

Domain controllers using Kerberos Authentication certificateKDCs use only one certificate, which is selected when the KDC service starts. This means if another certificate is obtained after the KDC service starts that new certificate will not be used. Additionally, the following requirements must be met:

Ensure all domain controllers are configured with valid certificate based on the Kerberos Authentication templates or containing the KDC EKU.

Ensure all domain controllers have no Domain Controller or Domain Controller Authentication certificates.

To assure success, the KDC service must be restarted after obtaining the certificate with the KDC EKU.

5

Validation

Check if the domain policy requires strict KDC validation1. Open the Group Policy Management Console.

Figure 1: Windows Server 2008 R2 Administrative Tools2. Right-click Default Domain Policy, and click Edit.

Figure 2: Windows Server 2008 R2 Group Policy Management Console

6

3. Click Show for Administrative Templates.

Figure 3: Windows Server 2008 R2 Default Domain Policy4. Click Show for System/Kerberos.5. Require strict KDC validation should be Enabled.

Figure 4: Windows Server 2008 R2 with Require strict KDC validation enabled

Check if the CA has the Kerberos Authentication template enabled:1. Open the Certification Authority snap-in.2. Click Certificate Templates.

7

3. Kerberos Authentication should be listed in the right pane.

Figure 5: Windows Server 2008 R2 CA with Kerberos Authentication template enabled

8

Check if the domain controller has the Kerberos Authentication KDC certificateTo discover the KDC certificates for a given domain controller:

1. Open an administrator Command Prompt.2. Type certutil.exe -DCInfo.

If the domain controller has one KDC certificate, then one KDC Certificate in MY store will be returned.

Figure 6: Windows Server 2008 R2 domain controller with one KDC Kerberos Authentication certificate

If the certificate is based on a Kerberos Authentication template, then it will be stated in the Template field.

If the domain controller has multiple KDC certificates, then information for each certificate will be returned.

Figure 7: Windows Server 2008 R2 domain controller with multiple KDC certificates

9

Causes for Smart Card Authentication Failures

Problem: Cross-forest smart card logon is failing but domain smart card logon succeeds

Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store of the forest where the computer is domain-joinedDetails for adding issuing CAs to the NTAuth store can be found in the Cross-forest Certificate Enrollment with Windows Server 2008 R2 whitepaper.

Problem: KDC does not have KDC certificate based on Kerberos Authentication certificate templatesFor the KDC to successfully authenticate a smart card user requiring strict KDC validation, the KDC must be using a certificate with the KDC EKU. This requires both a Kerberos Authentication certificate and a restart of the KDC service.

There are three possible solutions:

To manually get a certificate:

Solution: Explicitly enroll for a KDC certificate by using the Certificates snap-in

If autoenrollment is configured:

Solution: Trigger autoenrollment by using Certutil.exe

If autoenrollment is not configured:

Solution: Configure autoenrollment then Solution: Trigger autoenrollment by using Certutil.exe

Solution: Explicitly enroll for a KDC certificate by using the Certificates snap-in1. Open the Certificates snap-in. On the File menu, click Add/Remove snap-in.

10

2. In the Add or Remove Snap-ins dialog box, select Certificates, click Add, and then click OK.

Figure 8: Windows Server 2008 R2 domain controller adding snap-in3. In the Certificates snap-in dialog box, click Computer account, and click Next.

Figure 9: Windows Server 2008 R2 domain controller selecting type

11

4. In the Select Computer dialog box, click Local computer, and click Finish.

Figure 10: Windows Server 2008 R2 domain controller selecting computer

5. Open Personal, and right-click Certificates.6. Select All Tasks.7. Select Request New Certificate.

Figure 11: Windows Server 2008 R2 domain controller manually enrolling

12

8. Click Next.

Figure 12: Windows Server 2008 R2 domain controller manually enrolling9. Select Active Directory Enrollment Policy, and click Next.

Figure 13: Windows Server 2008 R2 domain controller selecting Active Directory Enrollment Policy

13

10. Select the Kerberos Authentication check box, and click Enroll.

Figure 14: Windows Server 2008 R2 domain controller selecting template

If Kerberos Authentication is not available, then check if the Kerberos Authentication template is available on CAs that issue KDC certificates. If the template is enabled, then ensure that domain controllers have Enroll permission and Autoenroll permission.

Confirm that the domain controller has the Kerberos Authentication KDC certificate:

1. Open an administrator Command Prompt.2. Type certutil.exe -DCInfo.

If the domain controller has a KDC Kerberos Authentication KDC certificate, then information for the certificate will be returned where “Kerberos Authentication” is in the Template field.

14

Figure 15: Windows Server 2008 R2 domain controller with KDC Kerberos Authentication certificate

Restart the KDC service:

3. Type net stop KDC.4. After the KDC service is stopped, type net start KDC.

Figure 16: Windows Server 2008 R2 domain controller restarted

Solution: Trigger autoenrollment by using Certutil.exePulse the domain controller autoenrollment:

1. Open an administrator Command Prompt.

15

2. Type certutil.exe -pulse.

Figure 17: Windows Server 2008 R2 domain controller triggering autoenrollment

Confirm the domain controller has the Kerberos Authentication KDC certificate:

3. Type certutil.exe -DCInfo.

If the domain controller has a KDC Kerberos Authentication KDC certificate, then information for the certificate will be returned where “Kerberos Authentication” is in the Template field.

Figure 18: Windows Server 2008 R2 domain controller with KDC Kerberos Authentication certificate

Restart the KDC service:

4. Type net stop KDC.5. After the KDC service is stopped, type net start KDC.

16

Figure 19: Windows Server 2008 R2 domain controller restarted

Solution: Configure autoenrollmentSetting up ACLs and Group Policy for autoenrollment is documented here: http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx.

Setting up ACLs programmatically can be done with the template API. An example is documented here: http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx.

Problem: CA cannot issue KDC certificates based on Kerberos Authentication certificate templatesTo issue certificates based on the Kerberos Authentication template, the template must be enabled.

Either the Certificate Authority snap-in or Certutil can be used.

Solution: Add the Kerberos Authentication Template by using the Certificate Authority snap-in:

1. Open the Certification Authority snap-in.2. Right-click Certificate Templates.3. Point to New.

17

4. Click Certificate Template to Issue.

Figure 20: Windows Server 2008 R2 CA adding new template5. In the Enable Certificate Templates dialog box, select Kerberos Authentication, and click OK.

Figure 21: Windows Server 2008 R2 CA selecting template

18

6. Now Kerberos Authentication is listed in the right pane.

Figure 22: Windows Server 2008 R2 CA with Kerberos Authentication template

Solution: Add the Kerberos Authentication Template by using Certutil:Add the Kerberos Authentication template:

1. Open an administrator Command Prompt.2. Type Certutil.exe -config <CA machine name>.<domain name>\<CA common name> -

setcatemplates +KerberosAuthentication where <CA machine name> is the machine name of the CA, <domain name> is the DNS domain name, and <CA common name> is the common name of the CA.

Figure 23: Windows Server 2008 R2 CA adding template with certutil

19

Problem: KDC has older KDC certificatesKDCs use only one certificate, which is selected when the service starts; that means if a new certificate is obtained after the KDC service starts, that newer certificate will not be used. To ensure that the Kerberos Authentication certificate on a domain controller is always used, there should be no Domain Controller and Domain Controller Authentication certificates in use, which means revoking any existing certificates and ensuring CAs do not issue certificates based on the older templates.

Before removing the older certificates, ensure the DC has a certificate based on the Kerberos Authentication templates or smart card authentication will not be supported by this domain controller. If the domain controller does not have a certificate based on the Kerberos Authentication certificate template, then see Problem: KDC does not have .

Solution: Revoke Domain Controller and Domain Controller Authentication certificatesFirst query the CA database to find all certificates based on the Domain Controller and Domain Controller Authentication templates that are still time valid and get a list of serial numbers. Use a query similar to http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx by using template=”DomainController” and template=“DomainControllerAuthentication.”

Then, use the list with the certutil -revoke command.

Solution: Remove Domain Controller and Domain Controller Authentication certificate templates on a CA

1. Open the Certification Authority snap-in.2. Right-click Certificate Templates.3. Click Delete.

Figure 24: Windows Server 2008 R2 CA deleting template

20

4. In the Disable certificate templates dialog box, click Yes.

Figure 25: Windows Server 2008 R2 CA confirming disabling template

21