On-premises key trust deployment guide
This article describes Windows Hello for Business functionalities or scenarios that apply to:
- Deployment type: on-premises
- Trust type: key trust
- Join type: domain join
Requirements
Before starting the deployment, review the requirements described in the Plan a Windows Hello for Business Deployment article.
Ensure that the following requirements are met before you begin:
Deployment steps
Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
Configure and validate the Public Key Infrastructure
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust or certificate trust models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Deploy an enterprise certification authority
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server Active Directory Certificate Services role.
If you don't have an existing PKI, review Certification Authority Guidance to properly design your infrastructure. Then, consult the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy for instructions on how to configure your PKI using the information from your design session.
Lab-based PKI
The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
Sign in using Enterprise Administrator equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
Note
Never install a certification authority on a domain controller in a production environment.
- Open an elevated Windows PowerShell prompt
- Use the following command to install the Active Directory Certificate Services role.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- Use the following command to configure the CA using a basic certification authority configuration
Install-AdcsCertificationAuthority
Configure the enterprise PKI
Configure domain controller certificates
Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Important
The certificates issued to the domain controllers must meet the following requirements:
- The Certificate Revocation List (CRL) distribution point extension must point to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder
- Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name)
- The certificate Key Usage section must contain Digital Signature and Key Encipherment
- Optionally, the certificate Basic Constraints section should contain:
[Subject Type=End Entity, Path Length Constraint=None]
- The certificate extended key usage section must contain Client Authentication (
1.3.6.1.5.5.7.3.2
), Server Authentication (1.3.6.1.5.5.7.3.1
), and KDC Authentication (1.3.6.1.5.2.3.5
) - The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name
- The certificate template must have an extension that has the value
DomainController
, encoded as a BMPstring. If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template - The domain controller certificate must be installed in the local computer's certificate store
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates > Manage
In the Certificate Template Console, right-click the Kerberos Authentication template in the details pane and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certification Recipient list
General - Specify a Template display name, for example Domain Controller Authentication (Kerberos)
- Set the validity period to the desired value
- Take note of the template name for later, which should be the same as the Template display name minus spaces
Subject Name - Select Build from this Active Directory information
- Select None from the Subject name format list
- Select DNS name from the Include this information in alternate subject list
- Clear all other items
Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Select OK to finalize your changes and create the new template
Close the console
Supersede existing domain controller certificates
The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called domain controller certificate. Later releases of Windows Server provided a new certificate template called domain controller authentication certificate. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.
The autoenrollment feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the Kerberos Authentication certificate template.
Sign in to a CA or management workstations with Enterprise Administrator equivalent credentials.
- Open the Certification Authority management console
- Right-click Certificate Templates > Manage
- In the Certificate Template Console, right-click the Domain Controller Authentication (Kerberos) (or the name of the certificate template you created in the previous section) template in the details pane and select Properties
- Select the Superseded Templates tab. Select Add
- From the Add Superseded Template dialog, select the Domain Controller certificate template and select OK > Add
- From the Add Superseded Template dialog, select the Domain Controller Authentication certificate template and select OK
- From the Add Superseded Template dialog, select the Kerberos Authentication certificate template and select OK
- Add any other enterprise certificate templates that were previously configured for domain controllers to the Superseded Templates tab
- Select OK and close the Certificate Templates console
The certificate template is configured to supersede all the certificate templates provided in the superseded templates list.
However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.
Note
The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. To see all certificates in the NTAuth store, use the following command:
Certutil -viewstore -enterprise NTAuth
Configure an internal web server certificate template
Windows clients communicate with AD FS via HTTPS. To meet this need, a server authentication certificate must be issued to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by the enterprise PKI. A server authentication certificate template must be configured, so the AD FS nodes can request a certificate.
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates > Manage
In the Certificate Template Console, right-click the Web Server template in the details pane and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certification Recipient list
General - Specify a Template display name, for example Internal Web Server
- Set the validity period to the desired value
- Take note of the template name for later, which should be the same as the Template display name minus spaces
Request Handling Select Allow private key to be exported Subject Name Select Supply in the request Security Add Domain Computers with Enroll access Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Select OK to finalize your changes and create the new template
Close the console
Unpublish Superseded Certificate Templates
The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign in to the CA or management workstation with Enterprise Administrator equivalent credentials.
- Open the Certification Authority management console
- Expand the parent node from the navigation pane > Certificate Templates
- Right-click the Domain Controller certificate template and select Delete. Select Yes on the Disable certificate templates window
- Repeat step 3 for the Domain Controller Authentication and Kerberos Authentication certificate templates
Publish certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.
- Open the Certification Authority management console
- Expand the parent node from the navigation pane
- Select Certificate Templates in the navigation pane
- Right-click the Certificate Templates node. Select New > Certificate Template to issue
- In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos) and Internal Web Server templates you created in the previous steps. Select OK to publish the selected certificate templates to the certification authority
- If you published the Domain Controller Authentication (Kerberos) certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select Delete. Select Yes to confirm the operation
- Close the console
Configure and deploy certificates to domain controllers
Configure automatic certificate enrollment for the domain controllers
Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.
- Open the Group Policy Management Console (gpmc.msc)
- Expand the domain and select the Group Policy Object node in the navigation pane
- Right-click Group Policy object and select New
- Type Domain Controller Auto Certificate Enrollment in the name box and select OK
- Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and select Edit
- In the navigation pane, expand Policies under Computer Configuration
- Expand Windows Settings > Security Settings > Public Key Policies
- In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties
- Select Enabled from the Configuration Model list
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box
- Select the Update certificates that use certificate templates check box
- Select OK
- Close the Group Policy Management Editor
Deploy the domain controller auto certificate enrollment GPO
Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.
- Start the Group Policy Management Console (gpmc.msc)
- In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the Domain Controllers organizational unit and select Link an existing GPO…
- In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created
- Select OK
Validate the configuration
Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase.
Confirm your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment.
Use the event logs
Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.
- Using the Event Viewer, navigate to the Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System event log
- Look for an event indicating a new certificate enrollment (autoenrollment):
- The details of the event include the certificate template on which the certificate was issued
- The name of the certificate template used to issue the certificate should match the certificate template name included in the event
- The certificate thumbprint and EKUs for the certificate are also included in the event
- The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
Certificates superseded by your new domain controller certificate generate an archive event in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
Certificate Manager
You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use certlm.msc to view certificate in the local computers certificate stores. Expand the Personal store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.
Certutil.exe
You can use certutil.exe
command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:
certutil.exe -q -store my
To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command:
certutil.exe -q -v -store my
Troubleshooting
Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using gpupdate.exe /force
.
Alternatively, you can forcefully trigger automatic certificate enrollment using certreq.exe -autoenroll -q
from an elevated command prompt.
Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
Section review and next steps
Before moving to the next section, ensure the following steps are complete:
- Configure domain controller and web server certificate templates
- Supersede existing domain controller certificates
- Unpublish superseded certificate templates
- Publish the certificate templates to the CA
- Deploy certificates to the domain controllers
- Validate the domain controllers configuration