Use an Existing Domain Controller Certificate
  • 24 Jul 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Use an Existing Domain Controller Certificate

  • Dark
    Light
  • PDF

Article summary

If you want to use your existing Kerberos Domain Controller certificates, andif PKI logon has never been tested, we require checking the health of the existing Domain Controller certificates

If you are already using a smart card to logon, there is no action on your part.

To Check the Health of Existing Domain Controller Certificates

NOTE
The command to perform this check must be executed as a domain administrator. You can execute this command from any machine on the domain.
  1. For output displayed in the console, run the certutil -dcinfo verify command.
  2. For output saved in a file, run the certutil -dcinfo verify > C:\temp\dcinfo.txt command.

This process queries every Domain Controller in the domain and looks for a certificate compatible with PKI login. 

Example Output

The following example output is from a lab domain with only 1 domain controller; it will help you identify the important information from that file. Use this example output for the scenarios below.

Within the output, check the following:

  1. Ensure there are no errors. Errors are a sign that the environment is not healthy, and something needs to be done.
    • In the Example output, the following error displays:
      Snippet of Example output:
      A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.   0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    • Resolution:
      • This is usually a sign that a CA certificate in the chain of the PKI that issued the Domain Controller(s) certificate is missing in one of the stores.
      • You must identify the chain by reviewing the Domain Controller certificate itself and reviewing the stores using the commands listed in Validate the Kerberos Certificate section above to identify what certificate is missing where.
  2. Ensure each Domain Controller listed has at least one certificate.
    • In the Example output, the following is a correct certificate listing:
      Snippet of Example output:
      3 KDC certificates for ZEUS
  3. Ensure the Domain Controller certificate(s) have the following application policies:
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    Application[3] = 1.3.6.1.5.2.3.5 KDC Authentication
    • In the Example output, Certificate 1 is not a valid certificate because it has the application policy 1.3.6.1.4.1.311.21.19 Directory Service Email Replication only.
  4. Ensure the Domain Controller certificate(s) have their own FQDN in the subject alternative name extension.
    • In the Example output, Certificate 0 and Certificate 2 are correct:
      Snippet of Example output:
      SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=vipldap.olympus.lab SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=olympus.lab, DNS Name=OLYMPUS
  5. If Strict KDC validation is enabled in your domain (GPO “Require strict KDC validation” in Computer Configuration > Administrative Templates > System > Kerberos), the subject alternative name extension must include the FQDN of the domain.
    • In the Example output, only Certificate 2is correct:
      Snippet of Example output:
      SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=olympus.lab, DNS Name=OLYMPUS
    • To identify Strict KDC validation, ensure the C:temp folder exists and run the gpresult /h c:\temp\gpreport.html command.

kerb_example


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.