Share via

Microsoft PKI certificate templates: RAS and IAS server vs Kerberos Authentication for DCs

Anonymous
2024-03-27T01:45:44+00:00

Hi,

I have got an issue today that our Vcloud director website found a new certificate issued from our domain which is not expected. When we select SSL option in VROPS, the LDAP communication will be secured by the certificate provided by Domain controllers.

After checking, I see there are 2 certificates and renewed based on 2 different templates : RAS and IAS server and Kerberos Authentication. Both of them used for Client authentication and server authentication. Now the issue is that the vCloud director was using the cert issued using Kerberos Authentication template, but this time as the RAS/IAS server cert got renewed 2 days ago, when VROPS connect to LDAP, it prompt a new cert which is renewed with template RAS/IAS. I am not sure why this is happening and wanted to know if there is a way to force the Kerberos authentication certificate to be used by VROP ldap communication. Also i am not sure why the certficiate provided by our domain controller is changed to the one used RAS/IAS server.

Thank you.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-27T07:26:19+00:00

    Hi Gina Qu,

    Thank you for posting in the Microsoft Community Forum.

    1. Forcing VROPS to use a specific certificate:
      • In most cases, applications use the certificates configured in their trust store. If you want VROPS to use a specific certificate for LDAP communication, you should ensure that the certificate you want it to use is correctly configured in its trust store. This often involves importing the desired certificate into the appropriate trust store used by VROPS. The exact steps for doing this depend on the specific version and configuration of VROPS you are using.
    2. Understanding why the certificate changed:
      • Certificates can be renewed automatically or manually, depending on the settings in your Certificate Authority (CA) or group policy. It's possible that the RAS/IAS server certificate was set to renew automatically, causing it to be updated without your explicit action.
      • It's also worth checking the certificate templates and policies in your Active Directory environment to understand why the RAS/IAS server template was used for renewing the certificate instead of the Kerberos Authentication template.
    3. Investigating LDAP communication issues:
      • If the certificate mismatch is causing LDAP communication issues, you should verify that the certificate presented by the LDAP server (in this case, your Domain Controller) is trusted by the client (VROPS). This involves ensuring that the certificate chain is valid and that the root CA certificate is trusted by the client.
      • You can use tools like OpenSSL to inspect the certificates presented by the LDAP server and verify their details, such as the certificate issuer, subject, expiration date, etc. This can help in diagnosing any discrepancies between the expected and actual certificates.
    4. Resolving the certificate mismatch:
      • Once you've identified the root cause of the certificate mismatch and ensured that the correct certificate is trusted by VROPS, you may need to update the certificate configuration in VROPS to use the desired certificate for LDAP communication. This may involve importing the correct certificate into the trust store used by VROPS and configuring LDAP settings to use that certificate.
    5. Preventing future issues:
      • To prevent similar issues in the future, review your certificate renewal policies and ensure that they align with your application requirements. You may also consider documenting and regularly reviewing your certificate configurations to catch any discrepancies or unexpected changes.

    Best regards

    Neuvi Jiang

    0 comments
  2. Anonymous
    2024-03-27T13:26:20+00:00

    Hi Neuvi,

    Thank you for your response.

    I am trying to understand why the mismatch happens and I have different templates and used for different purposes.

    However, both Kerberos and RAS/IAS authentication certificate can provide client authentication and server authentication, only Kerberos authentication also do smart logon and KDC authentication. They both in the trusted personal cert store and normally when VROP connect to the domain controllers for LDAP queries, the proper cert will pushed to VROPS and ask for acceptance. It never happened before and these 2 certs are always in the same store and used for different things. Therefore, I have no clue where the issue is. Can you please help me on trouble shoot?

    From what I saw from VROPS configuration, VROPS did not define the cert or save the cert, when SSL is enabled for LDAPS, connected DC will provide the proper cert to ask for acceptance. Now I want to know how I can make the right cert to be used by VROPS by not harming the other one.

    I just realized that my RAS/IAS cert got auto renewed last Sunday as it's the 6 weeks renewal period starts which is expected behavior. After it's renewed, it became the most longevity cert with Server Authentication EKU, so it become the one used by services needs Server Authentication purposed. In this case, I think when the cert of Kerberos renewed tomorrow, it will be pushed again but I do not want the same situation happens so I want to kinda hard code the cert to be used. Is there a way of setting priority on the cert?

    Thank you.

    0 comments