ADCS CA uses NTLM to authenticate clients during certificate requests

Shaunm001 301 Reputation points
2022-07-20T13:29:40.573+00:00

We have recently set up a new ADCS certificate authority and at the moment our clients are not able to request certificates. In troubleshooting, we have found that when the CA receives the certificate request, it attempts to contact a domain controller using NTLM authentication (presumably to validate the requestor credentials?). This fails because we have outbound NTLM disabled on the CA:

222727-untitled.png

My question is, why is the CA using NTLM authentication to contact the domain controller and can we configure it to use stronger authentication?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,923 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,591 Reputation points
    2022-07-21T07:22:00.887+00:00

    Hi there,

    Firstly, check if the CRLs are up-to-date on the root CA server.

    1. Logon to the root CA with the domain Administrator.
    2. Open Certification Authority.
    3. Click Revoked Certificates\All Tasks\Publish\New CRL\OK.
    4. Refresh PKIview.msc console.

    Second, check if CRLs or AIAs are configured correctly on the root CA server.

    1. Logon to the root CA with the domain Administrator.
    2. Open Certification Authority.
    3. Check the AIA and CDP on the Extensions tab of root CA Properties based on my example below.

    AD CS - Unable to Request Certificates from Certificate Authority

    https://social.technet.microsoft.com/Forums/en-US/52fe9da9-3f93-49d0-8cf7-481e9c62f1ce/ad-cs-unable-to-request-certificates-from-certificate-authority?forum=winserversecurity

    ---------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

  2. The Squirrel 111 Reputation points
    2024-09-04T22:26:53.14+00:00

    We have NTLM outbound blocked on our Server 2022 CA and it is able to issue certificates.

    Make sure your DC certificates are not using the default template. You must create a new template by duplicating the "Kerberos Authentication" template using that for issuing certificates to your DC's. Then your CA should be able to authenticate via Kerberos. Also don't set your CRL to be distributed via LDAP. Set it to HTTP only. I believe that may be what is contributing to your CA attempting to contact via LDAP. It shouldn't and should be contacting the DC over RPC/DCOM with Kerberos authentication. Also Don't have "Enable RPC Endpoint Mapper Client Authentication" enabled as that forces RPC to use NTLM only.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.