WhfB certificate template concern

asked 2020-09-29T08:46:06.823+00:00
Steve Cooke 1 Reputation point

Hi All
We are wanting to deploy WHfB using Key trust following the below Microsoft guide
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide
We have most prerequisites in place as we already have a Hybrid model using AD connect for O365.
My Main concern is around replacing the Domain Controller Authentication (Kerberos) Certificate Template. Is there any potential for things to go wrong? Eg could AD break, or clients get disconnected from the domain etc? It seems to me that this template is central for client authentication, so in a worst case scenario I would think things could go very bad.

Thanks
Steve

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,545 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-10-03T02:16:54.027+00:00
    Marilee Turscak-MSFT 20,401 Reputation points Microsoft Employee

    Superseded certificate templates may be an issue, but it's easily avoided if you have the right policies in place. If you don't have autoenrollment configured properly for users it can result in the deletion of certificates, based on the certificate templates being superseded by other certificate templates, from user's AD store.

    However, the troubleshooting steps for overcoming this issue (or better yet, configuring things properly so that this doesn't happen) are covered here.

    In addition to the deployment guide you linked, I would also recommend checking out this additional WHFB deployment guide. This discusses some of the important considerations when replacing the Domain Controller.

    Let me know if that's what you were looking for!

    No comments

  2. answered 2020-10-06T08:19:28.997+00:00
    Steve Cooke 1 Reputation point

    Thanks for the info Marilee, we don't currently have AD certificate services on our domain, is there no way to do this using something in Azure AD rather than using AD CS?
    Is there any risk that installing AD CS now would cause any issues for our Domain, and the 2 way trusts we have set up with 2 other Domains?

    Thanks
    Steve

    No comments