Active Directory - Page 4 - Uwe Gradenegger

Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Basics and risk assessment Delegation settings

Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.

After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates

Assume the following scenario:

An Active Directory integrated certificate authority (Enterprise CA) is integrated in the network.
The certification authority was migrated to a new server (see also article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„).
When publishing the certificate templates, one notices that only the Standard certificate templates to be selected for publication. Own certificate templates are not displayed.

Description of certificate template generations

Below is a description of the different generations of certificate templates (schema versions) and the innovations introduced with them.

Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
The following error message is displayed:

Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.

Publishing a certificate template on a CA fails with error message "The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

An administrator publishes a certificate template on a certificate authority.
The operation fails with the following error message:

The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.

Basics of certificate application via Certificate Enrollment Web Services (CEP, CES) with the MS-XCEP and MS-WSTEP protocols

With Windows Server 2008 R2 and Windows 7, a new functionality for certificate enrollment has been introduced: The Certificate Enrollment Web Services, which are mapped by two server roles:

Certificate Enrollment Policy Web Service (CEP)
Certificate Enrollment Web Services (CES)

The following is a description of the background to these roles, how they work, and the possible deployment scenarios.

Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Manually running the autoenrollment process

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
By timer every 8 hours.
When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.

Associate a universal security group with an Object Identifier (OID) in the Active Directory directory service (Authentication Mechanism Assurance).

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to establish the connection between the certificate and the security group.

Configuring a Certificate Template for Authentication Mechanism Assurance (AMA)

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to generate a certificate template for use with Authentication Mechanism Assurance.

Domain Controller Certificate Templates and Smartcard Logon

In order for domain controllers to process smart card logins, they need certificates that provide this function.

(Re-)Installing the Microsoft Standard Certificate Templates

There may be cases where it is necessary to install the standard Microsoft certificate templates before installing the first Active Directory integrated certificate authority (Enterprise Certification Authority), or to reinstall the templates, for example because they have been corrupted or otherwise modified.