Hybrid key trust deployment guide

This article describes Windows Hello for Business functionalities or scenarios that apply to:


Important

Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the key trust model. For more information, see cloud Kerberos trust deployment.

Requirements

Before starting the deployment, review the requirements described in the Plan a Windows Hello for Business Deployment article.

Ensure that the following requirements are met before you begin:

Deployment steps

Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:

Configure and validate the Public Key Infrastructure

Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust model. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.

Key trust deployments don't need client-issued certificates for on-premises authentication. Microsoft Entra Connect Sync configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (msDS-KeyCredentialLink attribute).

A Windows Server-based PKI or a non-Microsoft Enterprise certification authority can be used. For more information, see Requirements for domain controller certificates from a non-Microsoft CA.

Deploy an enterprise certification authority

This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server Active Directory Certificate Services role.
If you don't have an existing PKI, review Certification Authority Guidance to properly design your infrastructure. Then, consult the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy for instructions on how to configure your PKI using the information from your design session.

Lab-based PKI

The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.

Sign in using Enterprise Administrator equivalent credentials on a Windows Server where you want the certification authority (CA) installed.

Note

Never install a certification authority on a domain controller in a production environment.

  1. Open an elevated Windows PowerShell prompt
  2. Use the following command to install the Active Directory Certificate Services role.
    Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
    
  3. Use the following command to configure the CA using a basic certification authority configuration
    Install-AdcsCertificationAuthority
    

Configure the enterprise PKI

Configure domain controller certificates

Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.

Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.

By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.

Important

The certificates issued to the domain controllers must meet the following requirements:

  • The Certificate Revocation List (CRL) distribution point extension must point to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder
  • Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name)
  • The certificate Key Usage section must contain Digital Signature and Key Encipherment
  • Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]
  • The certificate extended key usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5)
  • The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name
  • The certificate template must have an extension that has the value DomainController, encoded as a BMPstring. If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template
  • The domain controller certificate must be installed in the local computer's certificate store

Sign in to a CA or management workstations with Domain Administrator equivalent credentials.

  1. Open the Certification Authority management console

  2. Right-click Certificate Templates > Manage

  3. In the Certificate Template Console, right-click the Kerberos Authentication template in the details pane and select Duplicate Template

  4. Use the following table to configure the template:

    Tab Name Configurations
    Compatibility
    • Clear the Show resulting changes check box
    • Select Windows Server 2016 from the Certification Authority list
    • Select Windows 10 / Windows Server 2016 from the Certification Recipient list
    General
    • Specify a Template display name, for example Domain Controller Authentication (Kerberos)
    • Set the validity period to the desired value
    • Take note of the template name for later, which should be the same as the Template display name minus spaces
    Subject Name
    • Select Build from this Active Directory information
    • Select None from the Subject name format list
    • Select DNS name from the Include this information in alternate subject list
    • Clear all other items
    Cryptography
    • Set the Provider Category to Key Storage Provider
    • Set the Algorithm name to RSA
    • Set the minimum key size to 2048
    • Set the Request hash to SHA256
  5. Select OK to finalize your changes and create the new template

  6. Close the console

Note

Inclusion of the KDC Authentication OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.

Important

For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:

  • Install the root CA certificate in the device's trusted root certificate store. See how to deploy a trusted certificate profile via Intune
  • Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL

Supersede existing domain controller certificates

The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called domain controller certificate. Later releases of Windows Server provided a new certificate template called domain controller authentication certificate. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.

The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.
The autoenrollment feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the Kerberos Authentication certificate template.

Sign in to a CA or management workstations with Enterprise Administrator equivalent credentials.

  1. Open the Certification Authority management console
  2. Right-click Certificate Templates > Manage
  3. In the Certificate Template Console, right-click the Domain Controller Authentication (Kerberos) (or the name of the certificate template you created in the previous section) template in the details pane and select Properties
  4. Select the Superseded Templates tab. Select Add
  5. From the Add Superseded Template dialog, select the Domain Controller certificate template and select OK > Add
  6. From the Add Superseded Template dialog, select the Domain Controller Authentication certificate template and select OK
  7. From the Add Superseded Template dialog, select the Kerberos Authentication certificate template and select OK
  8. Add any other enterprise certificate templates that were previously configured for domain controllers to the Superseded Templates tab
  9. Select OK and close the Certificate Templates console

The certificate template is configured to supersede all the certificate templates provided in the superseded templates list.
However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.

Note

The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. To see all certificates in the NTAuth store, use the following command:

Certutil -viewstore -enterprise NTAuth

Unpublish Superseded Certificate Templates

The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.

The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.

Sign in to the CA or management workstation with Enterprise Administrator equivalent credentials.

  1. Open the Certification Authority management console
  2. Expand the parent node from the navigation pane > Certificate Templates
  3. Right-click the Domain Controller certificate template and select Delete. Select Yes on the Disable certificate templates window
  4. Repeat step 3 for the Domain Controller Authentication and Kerberos Authentication certificate templates

Publish the certificate template to the CA

A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.

Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.

  1. Open the Certification Authority management console
  2. Expand the parent node from the navigation pane
  3. Select Certificate Templates in the navigation pane
  4. Right-click the Certificate Templates node. Select New > Certificate Template to issue
  5. In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos) template you created in the previous steps > select OK
  6. Close the console

Important

If you plan to deploy Microsoft Entra joined devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to update your CA to include an http-based CRL distribution point.

Configure and deploy certificates to domain controllers

Configure automatic certificate enrollment for the domain controllers

Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.

  1. Open the Group Policy Management Console (gpmc.msc)
  2. Expand the domain and select the Group Policy Object node in the navigation pane
  3. Right-click Group Policy object and select New
  4. Type Domain Controller Auto Certificate Enrollment in the name box and select OK
  5. Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and select Edit
  6. In the navigation pane, expand Policies under Computer Configuration
  7. Expand Windows Settings > Security Settings > Public Key Policies
  8. In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties
  9. Select Enabled from the Configuration Model list
  10. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box
  11. Select the Update certificates that use certificate templates check box
  12. Select OK
  13. Close the Group Policy Management Editor

Deploy the domain controller auto certificate enrollment GPO

Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.

  1. Start the Group Policy Management Console (gpmc.msc)
  2. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the Domain Controllers organizational unit and select Link an existing GPO…
  3. In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created
  4. Select OK

Validate the configuration

Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase.

Confirm your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment.

Use the event logs

Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.

  1. Using the Event Viewer, navigate to the Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System event log
  2. Look for an event indicating a new certificate enrollment (autoenrollment):
    • The details of the event include the certificate template on which the certificate was issued
    • The name of the certificate template used to issue the certificate should match the certificate template name included in the event
    • The certificate thumbprint and EKUs for the certificate are also included in the event
    • The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template

Certificates superseded by your new domain controller certificate generate an archive event in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.

Certificate Manager

You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use certlm.msc to view certificate in the local computers certificate stores. Expand the Personal store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.

Certutil.exe

You can use certutil.exe command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:

certutil.exe -q -store my

To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command:

certutil.exe -q -v -store my

Troubleshooting

Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using gpupdate.exe /force.

Alternatively, you can forcefully trigger automatic certificate enrollment using certreq.exe -autoenroll -q from an elevated command prompt.

Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.

Section review and next steps

Before moving to the next section, ensure the following steps are complete:

  • Configure domain controller certificate template
  • Supersede existing domain controller certificates
  • Unpublish superseded certificate templates
  • Publish the certificate template to the CA
  • Deploy certificates to the domain controllers
  • Validate the domain controllers configuration