Use an Existing Domain Controller Certificate
- 24 Jul 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
Use an Existing Domain Controller Certificate
- Updated on 24 Jul 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
If you want to use your existing Kerberos Domain Controller certificates, andif PKI logon has never been tested, we require checking the health of the existing Domain Controller certificates.
If you are already using a smart card to logon, there is no action on your part.
To Check the Health of Existing Domain Controller Certificates
NOTE
The command to perform this check must be executed as a domain administrator. You can execute this command from any machine on the domain.
- For output displayed in the console, run the certutil -dcinfo verify command.
- For output saved in a file, run the certutil -dcinfo verify > C:\temp\dcinfo.txt command.
This process queries every Domain Controller in the domain and looks for a certificate compatible with PKI login.
Example Output
The following example output is from a lab domain with only 1 domain controller; it will help you identify the important information from that file. Use this example output for the scenarios below.
Within the output, check the following:
- Ensure there are no errors. Errors are a sign that the environment is not healthy, and something needs to be done.
- In the Example output, the following error displays:Snippet of Example output:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA) - Resolution:
- This is usually a sign that a CA certificate in the chain of the PKI that issued the Domain Controller(s) certificate is missing in one of the stores.
- You must identify the chain by reviewing the Domain Controller certificate itself and reviewing the stores using the commands listed in Validate the Kerberos Certificate section above to identify what certificate is missing where.
- In the Example output, the following error displays:
- Ensure each Domain Controller listed has at least one certificate.
- In the Example output, the following is a correct certificate listing:Snippet of Example output:
3 KDC certificates for ZEUS
- In the Example output, the following is a correct certificate listing:
- Ensure the Domain Controller certificate(s) have the following application policies:
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[3] = 1.3.6.1.5.2.3.5 KDC Authentication- In the Example output, Certificate 1 is not a valid certificate because it has the application policy 1.3.6.1.4.1.311.21.19 Directory Service Email Replication only.
- Ensure the Domain Controller certificate(s) have their own FQDN in the subject alternative name extension.
- In the Example output, Certificate 0 and Certificate 2 are correct:Snippet of Example output:
SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=vipldap.olympus.lab SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=olympus.lab, DNS Name=OLYMPUS
- In the Example output, Certificate 0 and Certificate 2 are correct:
- If Strict KDC validation is enabled in your domain (GPO “Require strict KDC validation” in Computer Configuration > Administrative Templates > System > Kerberos), the subject alternative name extension must include the FQDN of the domain.
- In the Example output, only Certificate 2is correct:Snippet of Example output:
SubjectAltName: DNS Name=Zeus.olympus.lab, DNS Name=olympus.lab, DNS Name=OLYMPUS - To identify Strict KDC validation, ensure the C:temp folder exists and run the gpresult /h c:\temp\gpreport.html command.
- In the Example output, only Certificate 2is correct:
Was this article helpful?
