Configure and validate the PKI in a hybrid certificate trust model
This article describes Windows Hello for Business functionalities or scenarios that apply to:
- Deployment type: hybrid
- Trust type: certificate trust
- Join type: Microsoft Entra join , Microsoft Entra hybrid join
Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the certificate trust models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
Deploy an enterprise certification authority
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server Active Directory Certificate Services role.
If you don't have an existing PKI, review Certification Authority Guidance to properly design your infrastructure. Then, consult the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy for instructions on how to configure your PKI using the information from your design session.
Lab-based PKI
The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
Sign in using Enterprise Administrator equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
Note
Never install a certification authority on a domain controller in a production environment.
- Open an elevated Windows PowerShell prompt
- Use the following command to install the Active Directory Certificate Services role.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- Use the following command to configure the CA using a basic certification authority configuration
Install-AdcsCertificationAuthority
Configure the enterprise PKI
Configure domain controller certificates
Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
Important
The certificates issued to the domain controllers must meet the following requirements:
- The Certificate Revocation List (CRL) distribution point extension must point to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder
- Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name)
- The certificate Key Usage section must contain Digital Signature and Key Encipherment
- Optionally, the certificate Basic Constraints section should contain:
[Subject Type=End Entity, Path Length Constraint=None]
- The certificate extended key usage section must contain Client Authentication (
1.3.6.1.5.5.7.3.2
), Server Authentication (1.3.6.1.5.5.7.3.1
), and KDC Authentication (1.3.6.1.5.2.3.5
) - The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name
- The certificate template must have an extension that has the value
DomainController
, encoded as a BMPstring. If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template - The domain controller certificate must be installed in the local computer's certificate store
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates > Manage
In the Certificate Template Console, right-click the Kerberos Authentication template in the details pane and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certification Recipient list
General - Specify a Template display name, for example Domain Controller Authentication (Kerberos)
- Set the validity period to the desired value
- Take note of the template name for later, which should be the same as the Template display name minus spaces
Subject Name - Select Build from this Active Directory information
- Select None from the Subject name format list
- Select DNS name from the Include this information in alternate subject list
- Clear all other items
Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Select OK to finalize your changes and create the new template
Close the console
Note
Inclusion of the KDC Authentication OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
Important
For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
- Install the root CA certificate in the device's trusted root certificate store. See how to deploy a trusted certificate profile via Intune
- Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
Supersede existing domain controller certificates
The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called domain controller certificate. Later releases of Windows Server provided a new certificate template called domain controller authentication certificate. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.
The autoenrollment feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the Kerberos Authentication certificate template.
Sign in to a CA or management workstations with Enterprise Administrator equivalent credentials.
- Open the Certification Authority management console
- Right-click Certificate Templates > Manage
- In the Certificate Template Console, right-click the Domain Controller Authentication (Kerberos) (or the name of the certificate template you created in the previous section) template in the details pane and select Properties
- Select the Superseded Templates tab. Select Add
- From the Add Superseded Template dialog, select the Domain Controller certificate template and select OK > Add
- From the Add Superseded Template dialog, select the Domain Controller Authentication certificate template and select OK
- From the Add Superseded Template dialog, select the Kerberos Authentication certificate template and select OK
- Add any other enterprise certificate templates that were previously configured for domain controllers to the Superseded Templates tab
- Select OK and close the Certificate Templates console
The certificate template is configured to supersede all the certificate templates provided in the superseded templates list.
However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.
Note
The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. To see all certificates in the NTAuth store, use the following command:
Certutil -viewstore -enterprise NTAuth
Configure an enrollment agent certificate template
A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
The CRA enrolls for an enrollment agent certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
Important
Follow the procedures below based on the AD FS service account used in your environment.
Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates and select Manage
In the Certificate Template Console, right-click on the Exchange Enrollment Agent (Offline request) template details pane and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certification Recipient list
General - Specify a Template display name, for example WHFB Enrollment Agent
- Set the validity period to the desired value
Subject Name Select Supply in the request
Note: Group Managed Service Accounts (GMSA) don't support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Security - Select Add
- Select Object Types and select the Service Accounts check box
- Select OK
- Type
adfssvc
in the Enter the object names to select text box and select OK - Select the adfssvc from the Group or users names list. In the Permissions for adfssvc section:
- In the Permissions for adfssvc section, select the Allow check box for the Enroll permission
- Excluding the adfssvc user, clear the Allow check box for the Enroll and Autoenroll permissions for all other items in the Group or users names list
- Select OK
Select OK to finalize your changes and create the new template
Close the console
Create an enrollment agent certificate for a standard service account
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates and select Manage
In the Certificate Template Console, right-click on the Exchange Enrollment Agent (Offline request) template details pane and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certificate Recipient list
General - Specify a Template display name, for example WHFB Enrollment Agent
- Set the validity period to the desired value
Subject Name - Select Build from this Active Directory information
- Select Fully distinguished name from the Subject name format list
- Select the User Principal Name (UPN) check box under Include this information in alternative subject name
Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Security - Select Add
- Select Object Types and select the Service Accounts check box
- Select OK
- Type
adfssvc
in the Enter the object names to select text box and select OK - Select the adfssvc from the Group or users names list. In the Permissions for adfssvc section:
- In the Permissions for adfssvc section, select the Allow check box for the Enroll permission
- Excluding the adfssvc user, clear the Allow check box for the Enroll and Autoenroll permissions for all other items in the Group or users names list
- Select OK
Select OK to finalize your changes and create the new template
Close the console
Configure a Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.
Sign in to a CA or management workstations with Domain Administrator equivalent credentials.
Open the Certification Authority management console
Right-click Certificate Templates and select Manage
In the Certificate Template Console, right-click the Smartcard Logon template and select Duplicate Template
Use the following table to configure the template:
Tab Name Configurations Compatibility - Clear the Show resulting changes check box
- Select Windows Server 2016 from the Certification Authority list
- Select Windows 10 / Windows Server 2016 from the Certification Recipient list
General - Specify a Template display name, for example WHFB Authentication
- Set the validity period to the desired value
- Take note of the template name for later, which should be the same as the Template display name minus spaces
Subject Name - Select Build from this Active Directory information
- Select Fully distinguished name from the Subject name format list
- Select the User Principal Name (UPN) check box under Include this information in alternative subject name
Cryptography - Set the Provider Category to Key Storage Provider
- Set the Algorithm name to RSA
- Set the minimum key size to 2048
- Set the Request hash to SHA256
Extensions Verify the Application Policies extension includes Smart Card Logon Issuance Requirements - Select the This number of authorized signatures check box. Type 1 in the text box
- Select Application policy from the Policy type required in signature
- Select Certificate Request Agent from in the Application policy list
- Select the Valid existing certificate option
Request Handling Select the Renew with same key check box Security - Select Add
- Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called Window Hello for Business Users, type it in the Enter the object names to select text box and select OK
- Select the Windows Hello for Business Users from the Group or users names list. In the Permissions for Windows Hello for Business Users section:
- Select the Allow check box for the Enroll permission
- Excluding the group above (for example, Window Hello for Business Users), clear the Allow check box for the Enroll and Autoenroll permissions for all other entries in the Group or users names section if the check boxes aren't already cleared
- Select OK
Select OK to finalize your changes and create the new template
Close the console
Mark the template as the Windows Hello Sign-in template
Sign in to a CA or management workstations with Enterprise Administrator equivalent credentials
Open an elevated command prompt end execute the following command
certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
parameter. Example:
CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
Old Value:
msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
TEMPLATE_SERVER_VER_WINBLUE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 50000 (327680)
TEMPLATE_CLIENT_VER_WINBLUE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 5000000 (83886080)
New Value:
msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
TEMPLATE_SERVER_VER_WINBLUE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 50000 (327680)
CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
TEMPLATE_CLIENT_VER_WINBLUE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 5000000 (83886080)
CertUtil: -dsTemplate command completed successfully."
Note
If you gave your Windows Hello for Business Authentication certificate template a different name, then replace WHFBAuthentication
in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the General tab of the certificate template using the Certificate Template management console (certtmpl.msc).
Unpublish Superseded Certificate Templates
The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.
The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
Sign in to the CA or management workstation with Enterprise Administrator equivalent credentials.
- Open the Certification Authority management console
- Expand the parent node from the navigation pane > Certificate Templates
- Right-click the Domain Controller certificate template and select Delete. Select Yes on the Disable certificate templates window
- Repeat step 3 for the Domain Controller Authentication and Kerberos Authentication certificate templates
Publish the certificate templates to the CA
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.
- Open the Certification Authority management console
- Expand the parent node from the navigation pane
- Select Certificate Templates in the navigation pane
- Right-click the Certificate Templates node. Select New > Certificate Template to issue
- In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos), WHFB Enrollment Agent and WHFB Authentication templates you created in the previous steps > select OK
- Close the console
Important
If you plan to deploy Microsoft Entra joined devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to update your CA to include an http-based CRL distribution point.
Configure and deploy certificates to domain controllers
Configure automatic certificate enrollment for the domain controllers
Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.
- Open the Group Policy Management Console (gpmc.msc)
- Expand the domain and select the Group Policy Object node in the navigation pane
- Right-click Group Policy object and select New
- Type Domain Controller Auto Certificate Enrollment in the name box and select OK
- Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and select Edit
- In the navigation pane, expand Policies under Computer Configuration
- Expand Windows Settings > Security Settings > Public Key Policies
- In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties
- Select Enabled from the Configuration Model list
- Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box
- Select the Update certificates that use certificate templates check box
- Select OK
- Close the Group Policy Management Editor
Deploy the domain controller auto certificate enrollment GPO
Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.
- Start the Group Policy Management Console (gpmc.msc)
- In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the Domain Controllers organizational unit and select Link an existing GPO…
- In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created
- Select OK
Validate the configuration
Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase.
Confirm your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment.
Use the event logs
Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.
- Using the Event Viewer, navigate to the Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System event log
- Look for an event indicating a new certificate enrollment (autoenrollment):
- The details of the event include the certificate template on which the certificate was issued
- The name of the certificate template used to issue the certificate should match the certificate template name included in the event
- The certificate thumbprint and EKUs for the certificate are also included in the event
- The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
Certificates superseded by your new domain controller certificate generate an archive event in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
Certificate Manager
You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use certlm.msc to view certificate in the local computers certificate stores. Expand the Personal store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.
Certutil.exe
You can use certutil.exe
command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:
certutil.exe -q -store my
To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command:
certutil.exe -q -v -store my
Troubleshooting
Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using gpupdate.exe /force
.
Alternatively, you can forcefully trigger automatic certificate enrollment using certreq.exe -autoenroll -q
from an elevated command prompt.
Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
Section review and next steps
Before moving to the next section, ensure the following steps are complete:
- Configure domain controller certificates
- Supersede existing domain controller certificates
- Unpublish superseded certificate templates
- Configure an enrollment agent certificate template
- Configure an authentication certificate template
- Publish the certificate templates to the CA
- Deploy certificates to the domain controllers
- Validate the domain controllers configuration