Mitigating NTLM Relay Attacks on Active Directory Certificate Services

Duncan 56 Reputation points
2021-07-26T08:18:53.113+00:00

I have some questions left...

There is a section in the KB5005413 article which mentions manually editing the web.config file: After enabling EPA in the UI, the Web.config file created by CES role at 'windir\systemdata\CES_CES_Kerberos\web.config'...

I have only installed 'Certificate Authority Web Enrollment', not the 'Certificate Enrollment Web Service'. I cannot find a web.config there.  Is web.config editing only necessary if you have installed 'Certificate Enrollment Web Service'?

Setting the Certificate Authority Web Enrollment to only Negotiate: Kerberos, the UI warns about 'Enable Kernel-mode authentication' in Extended Protection.

The MS screenshot in KB5005413 (Certificate Authority Web Enrollment) shows that MS has checked the box for 'Enable Kernel-mode authentication' selecting 'Required' under Extended Protection.

What is correct? To disable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required' while using only 'Negotiate: Kerberos' ?

Please help/clarify - thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,044 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 23,346 Reputation points Microsoft Vendor
    2021-07-27T07:15:30.303+00:00

    Hello @Duncan ,

    Thank you for posting here.

    Here are the answers for your references.

    I have only installed 'Certificate Authority Web Enrollment', not the 'Certificate Enrollment Web Service'. I cannot find a web.config there. Is web.config editing only necessary if you have installed 'Certificate Enrollment Web Service'?
    A1: Yes, from the article, we can see it is.

    What is correct? To disable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required' while using only 'Negotiate: Kerberos' ?
    A2: However, if you can’t disable NTLM outright then we recommend enabling EPA on AD CS services. This is achieved by:
    set enable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required'.

    Or you can remove 'Certificate Authority Web Enrollment' role if you do not need it.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.