Enabling Strict KDC Validation in Windows Kerberos

Microsoft Corporation
Published: July 2010
Version 1.1

Abstract
This article describes how a Kerberos deployment can be configured to meet certain
conditions that help assure that smart card users are authenticating against a valid
Kerberos domain controller. This article applies to Windows Vista , Windows
Server 2008, Windows 7, and Windows Server 2008 R2.

Information in this document, including URL and other Internet Web site references,
is subject to change without notice. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places,
and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing
of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.

2010 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows Server, and Windows Vista are trademarks of the
Microsoft group of companies.

All other trademarks are property of their respective owners.

Background................................................................................................................ 4
What Is Strict KDC Validation?.................................................................................... 4
Requirements to Ensure Strict KDC Validation............................................................4
Client support for the Require strict KDC validation setting.................................5
Domain controller and CA support for autoenrollment of the Kerberos
Authentication certificate........................................................................................ 5
DC using Kerberos Authentication certificate..........................................................5
Validation.................................................................................................................... 6
Check if the domain policy has Require strict KDC validation enabled.................6
Check if CA has Kerberos Authentication template enabled:...................................7
Check if the domain controller has the Kerberos Authentication KDC Certificate....9
Causes for Smart Card Authentication Failures.........................................................10
Problem: Cross Forest smartcard logon is failing but domain smart card logon
succeeds............................................................................................................... 10
Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth store
of the forest where the computer is domain-joined............................................10
Problem: KDC does not have KDC certificate based on Kerberos Authentication
certificate templates............................................................................................. 10
Solution: Explicitly enroll for a KDC certificate by using the Certificate MMC.....10
Solution: Triggering autoenrollment using CertUtil.exe......................................15
Solution: Configuring autoenrollment.................................................................17
Problem: CA cannot issue KDC certificates based on Kerberos Authentication
certificate templates............................................................................................. 17
Solution: Adding the Kerberos Authentication Template using Certificate
Authority Snap-in:.............................................................................................. 17
Solution: Adding the Kerberos Authentication Template using CertUtil:.............19
Problem: KDC has older KDC certificates...............................................................20
Solution: Revoking Domain Controller and Domain Controller Authentication
certificates......................................................................................................... 20
Solution: Removing Domain Controller and Domain Controller Authentication
certificate templates on a CA............................................................................. 20

Background
By default, Windows client computers using Kerberos authentication with smart card
logon do not validate and require the key distribution center (KDC) Extended Key
Usage (EKU). Although support was added in Windows Vista to enforce strict KDC
validation, this functionality cannot be enabled by default because it would cause
authentication failures until configuration preconditions are met. This article
describes how a Kerberos deployment can be configured to meet these
preconditions that help assure that the smart card user is authenticating against a
valid Kerberos domain controller.

What Is Strict KDC Validation?

Strict KDC validation is a more restrictive set of criteria that must be met by a KDC
for successful authentication. This functionality is controlled by a Group Policy
setting called Require strict KDC validation, which was added in Windows Vista.
A system with this policy enabled will validate certificate-based AS-REP messages
from domain controllers by ensuring that all of the following are met:

The domain controller has the private key for the certificate provided.
For domain-joined systems, the certification authority (CA) that issued the
KDCs certificate is in the NTAuth store.
For non-domain-joined systems, the root CA of the KDCs certificate is in the
Third-Party Root CA or Smart Card Trusted Roots store.
KDCs certificate has the KDC EKU.
KDC certificates DNSName field of the subjectAltName (SAN) extension
matches the DNS name of the domain.

Because enabling this policy before all smart card users account domain
controllers are using such a certificate will result in smart card users unable to
authenticate, it is critical to validate prior to deploying the policy. KDCs use only
one certificate, which is selected when the KDC service starts. This means if
another certificate is obtained after the KDC service starts that new certificate will
not be used.

Requirements to Ensure Strict KDC Validation

For an organization to have an environment that does not experience smart card
user authentication failures for existing users and ensures domain-joined systems
adhere to the additional strict KDC validation policy when using smart card
authentication, the following are required:

All domain policies have the Computer Configuration\Administrative

Templates\System\Kerberos\Require strict KDC validation Group Policy
setting enabled.
All Windows smart card clients support the Require strict KDC validation
policy setting.
4

All domain controllers and CAs that are set up to issue domain controller
certificates support autoenrollment of KDC certificates based on Kerberos
Authentication certificate templates
Note: Manual enrollment is possible but requires regular administrator
action to ensure that KDC certificates are kept up to date.
All domain controllers have only the KDC certificate based on Kerberos
Authentication certificate templates for the KDC certificate since the KDC was
last started.

Client support for strict KDC validation

The following table lists the versions of Windows that support Smart Card
authentication and can be configured to support strict KDC validation.
Client Version
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2

Strict KDC Validation available?

Yes
Yes
Yes
Yes

When the Require strict KDC validation Group Policy setting is enabled, the
Kerberos client on domain-joined systems will fail smart card (and other certificate)
initial authentication (AS-REP) when strict KDC validation fails.

Domain controller and CA support for autoenrollment of the

Kerberos Authentication certificate
The following table lists the versions of Windows that support auto-renewal for the
KDC certificate based on Kerberos Authentication certificate templates.

DC
Windows Server
2003

Windows Server
2008

Windows Server
2008 R2

Windows
Server 2008
RTM
No,
manual
enrollment
required
No,
manual
enrollment
required
Yes

Certificate Authorities
Windows Server
Windows Server
2008 SP2
2008
Yes

Yes

Yes

Yes

Yes

Yes

Ensure that at least one CA is set up to issue the Kerberos Authentication template
and that Domain Controller and Domain Controller Authentication templates are not
issued by any CAs.

Domain controllers using Kerberos Authentication certificate

KDCs use only one certificate, which is selected when the KDC service starts. This
means if another certificate is obtained after the KDC service starts that new
certificate will not be used. Additionally, the following requirements must be met:

Ensure all domain controllers are configured with valid certificate based on
the Kerberos Authentication templates or containing the KDC EKU.
Ensure all domain controllers have no Domain Controller or Domain Controller
Authentication certificates.
To assure success, the KDC service must be restarted after obtaining the
certificate with the KDC EKU.

Validation
Check if the domain policy requires strict KDC validation
1. Open the Group Policy Management Console.

Figure 1: Windows Server 2008 R2 Administrative Tools

2. Right-click Default Domain Policy, and click Edit.

Figure 2: Windows Server 2008 R2 Group Policy Management Console

3. Click Show for Administrative Templates.

Figure 3: Windows Server 2008 R2 Default Domain Policy

4. Click Show for System/Kerberos.
7

5. Require strict KDC validation should be Enabled.

Figure 4: Windows Server 2008 R2 with Require strict KDC validation enabled

Check if the CA has the Kerberos Authentication template

enabled:
1. Open the Certification Authority snap-in.
2. Click Certificate Templates.

3. Kerberos Authentication should be listed in the right pane.

Figure 5: Windows Server 2008 R2 CA with Kerberos Authentication template

enabled

Check if the domain controller has the Kerberos Authentication

KDC certificate
To discover the KDC certificates for a given domain controller:
1. Open an administrator Command Prompt.
2. Type certutil.exe -DCInfo.
If the domain controller has one KDC certificate, then one KDC Certificate in MY
store will be returned.

Figure 6: Windows Server 2008 R2 domain controller with one KDC Kerberos
Authentication certificate
If the certificate is based on a Kerberos Authentication template, then it will be
stated in the Template field.
If the domain controller has multiple KDC certificates, then information for each
certificate will be returned.

10

Figure 7: Windows Server 2008 R2 domain controller with multiple KDC certificates

Causes for Smart Card Authentication Failures

Problem: Cross-forest smart card logon is failing but domain
smart card logon succeeds
Solution: Explicitly add the cross-forest enterprise CA roots to the NTAuth
store of the forest where the computer is domain-joined
Details for adding issuing CAs to the NTAuth store can be found in the Cross-forest
Certificate Enrollment with Windows Server 2008 R2 whitepaper.

Problem: KDC does not have KDC certificate based on Kerberos

Authentication certificate templates
For the KDC to successfully authenticate a smart card user requiring strict KDC
validation, the KDC must be using a certificate with the KDC EKU. This requires both
a Kerberos Authentication certificate and a restart of the KDC service.
There are three possible solutions:

To manually get a certificate:

Solution: Explicitly enroll for a KDC certificate by using the Certificates snapin

If autoenrollment is configured:
Solution: Trigger autoenrollment by using Certutil.exe

If autoenrollment is not configured:

11

Solution: Configure autoenrollment then Solution: Trigger autoenrollment by

using Certutil.exe
Solution: Explicitly enroll for a KDC certificate by using the Certificates
snap-in
1. Open the Certificates snap-in. On the File menu, click Add/Remove snapin.
2. In the Add or Remove Snap-ins dialog box, select Certificates, click Add,
and then click OK.

Figure 8: Windows Server 2008 R2 domain controller adding snap-in

3. In the Certificates snap-in dialog box, click Computer account, and click
Next.

12

Figure 9: Windows Server 2008 R2 domain controller selecting type

4. In the Select Computer dialog box, click Local computer, and click Finish.

Figure 10: Windows Server 2008 R2 domain controller selecting computer

5. Open Personal, and right-click Certificates.
6. Select All Tasks.

13

7. Select Request New Certificate.

Figure 11: Windows Server 2008 R2 domain controller manually enrolling

8. Click Next.

Figure 12: Windows Server 2008 R2 domain controller manually enrolling

14

9. Select Active Directory Enrollment Policy, and click Next.

Figure 13: Windows Server 2008 R2 domain controller selecting Active

Directory Enrollment Policy

15

10.Select the Kerberos Authentication check box, and click Enroll.

Figure 14: Windows Server 2008 R2 domain controller selecting template

If Kerberos Authentication is not available, then check if the Kerberos
Authentication template is available on CAs that issue KDC certificates. If the
template is enabled, then ensure that domain controllers have Enroll permission
and Autoenroll permission.
Confirm that the domain controller has the Kerberos Authentication KDC certificate:
1. Open an administrator Command Prompt.
2. Type certutil.exe -DCInfo.
If the domain controller has a KDC Kerberos Authentication KDC certificate, then
information for the certificate will be returned where Kerberos Authentication is in
the Template field.

16

Figure 15: Windows Server 2008 R2 domain controller with KDC Kerberos
Authentication certificate
Restart the KDC service:
3. Type net stop KDC.
4. After the KDC service is stopped, type net start KDC.

Figure 16: Windows Server 2008 R2 domain controller restarted

Solution: Trigger autoenrollment by using Certutil.exe
Pulse the domain controller autoenrollment:
1. Open an administrator Command Prompt.

17

2. Type certutil.exe -pulse.

Figure 17: Windows Server 2008 R2 domain controller triggering

autoenrollment
Confirm the domain controller has the Kerberos Authentication KDC certificate:
3. Type certutil.exe -DCInfo.
If the domain controller has a KDC Kerberos Authentication KDC certificate, then
information for the certificate will be returned where Kerberos Authentication is in
the Template field.

Figure 18: Windows Server 2008 R2 domain controller with KDC Kerberos
Authentication certificate
Restart the KDC service:
18

4. Type net stop KDC.

5. After the KDC service is stopped, type net start KDC.

Figure 19: Windows Server 2008 R2 domain controller restarted

Solution: Configure autoenrollment
Setting up ACLs and Group Policy for autoenrollment is documented here:
http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx.
Setting up ACLs programmatically can be done with the template API. An example is
documented here: http://blogs.technet.com/b/pki/archive/2009/09/26/introducingcertificate-template-api.aspx.

Problem: CA cannot issue KDC certificates based on Kerberos

Authentication certificate templates
To issue certificates based on the Kerberos Authentication template, the template
must be enabled.
Either the Certificate Authority snap-in or Certutil can be used.
Solution: Add the Kerberos Authentication Template by using the
Certificate Authority snap-in:
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates.
3. Point to New.

19

4. Click Certificate Template to Issue.

Figure 20: Windows Server 2008 R2 CA adding new template

5. In the Enable Certificate Templates dialog box, select Kerberos
Authentication, and click OK.

Figure 21: Windows Server 2008 R2 CA selecting template

20

6. Now Kerberos Authentication is listed in the right pane.

Figure 22: Windows Server 2008 R2 CA with Kerberos Authentication template

Solution: Add the Kerberos Authentication Template by using Certutil:
Add the Kerberos Authentication template:
1. Open an administrator Command Prompt.
2. Type Certutil.exe -config <CA machine name>.<domain name>\<CA
common name> -setcatemplates +KerberosAuthentication where <CA
machine name> is the machine name of the CA, <domain name> is the DNS
domain name, and <CA common name> is the common name of the CA.

21

Figure 23: Windows Server 2008 R2 CA adding template with certutil

Problem: KDC has older KDC certificates

KDCs use only one certificate, which is selected when the service starts; that
means if a new certificate is obtained after the KDC service starts, that newer
certificate will not be used. To ensure that the Kerberos Authentication certificate
on a domain controller is always used, there should be no Domain Controller and
Domain Controller Authentication certificates in use, which means revoking any
existing certificates and ensuring CAs do not issue certificates based on the older
templates.
Before removing the older certificates, ensure the DC has a certificate based on the
Kerberos Authentication templates or smart card authentication will not be
supported by this domain controller. If the domain controller does not have a
certificate based on the Kerberos Authentication certificate template, then see
Problem: KDC does not have .
Solution: Revoke Domain Controller and Domain Controller Authentication
certificates
First query the CA database to find all certificates based on the Domain
Controller and Domain Controller Authentication templates that are still time
valid and get a list of serial numbers. Use a query similar to
http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutilview-restrict-and-some-creative-samples.aspx by using
template=DomainController and template=DomainControllerAuthentication.
Then, use the list with the certutil -revoke command.
Solution: Remove Domain Controller and Domain Controller Authentication
certificate templates on a CA
1. Open the Certification Authority snap-in.
2. Right-click Certificate Templates.

22

3. Click Delete.

Figure 24: Windows Server 2008 R2 CA deleting template

4. In the Disable certificate templates dialog box, click Yes.

Figure 25: Windows Server 2008 R2 CA confirming disabling template

23