You can use SCEPman to issue Kerberos authentication certificates to your domain controllers. This allows your AAD or hybrid-joined devices to authenticate seamlessly when accessing on-premises resources. This can be used to implement the Hybrid Key trust for Windows Hello for Business. The SCEPman will replace the requirement of a Public key infrastructure. Details can be found here
This feature has new requirements to the Root CA. If you are updating from an earlier version as 1.6 you must generate a new Root CA. To support Kerberos authentication certificates the CA certificate must contain either no Enchanced Key Usage (EKU) extension or it must include Kerberos Authentication and Smart Card Logon.
If you are starting with SCEPman 1.6 and generate the Root CA with our SCEPman, you can skip the following steps. Otherwise please follow this guide to generate a new Root CA.
CA Suitability on SCEPman Dashboard:
Navigate to your Key Vault
Check if your User Account is added to the Access policies with all certificate permissions
Go to Certificates, select your CA certificate and click on Delete
After you have successful deleted the CA certificate you must click on Manage deleted certificates
Select your CA certificate, that you have deleted in Step 3 and click on Purge (Keep in mind that after you have purged the certificate you cannot restore it!)
Now restart your SCEPman App Services
Once your App Services are restarted open the SCEPman Dashboard by navigating to your SCEPman URL
You can see the section Config issues, please follow the steps in this section.
After you have generated the new CA certificate you can check the CA suitability in the SCEPman Dashboard.
CA Suitability on SCEPman Dashboard:
To enable the feature, you must add two application settings in your SCEPman service. In the current implementation we use a pre-shared key (password) for DC requests. Please generate a new key/password and store it somewhere safe. (you will need it in the following steps and later, on the domain Controllers)
Navigate to App Services
Then choose your SCEPman app
Next under Settings click Configuration
Select New application setting
Type AppConfig:DCValidation:Enabled as Name
Type true as Value
Confirm with OK
Select New application setting again
Type AppConfig:DCValidation:RequestPassword as Name
Type your key/password, that you have generated earlier, as Value
Confirm with OK
Save the application settings
Certificates used for Kerberos authentication need to be trusted within the AD domain as authentication CA certificates. Please download the CA certificate from the SCEPman Dashboard. If you stored the file as
scepman-root.cer, you can publish the root CA certificate with the following command with an account that has Enterprise Administrator rights:
certutil -f -dsPublish scepman-root.cer NTAuthCA
Analogously, execute the following command to push the SCEPman CA certificate to the Trusted Root certificate store for all machines in the AD Forest:
certutil -f -dsPublish scepman-root.cer RootCA
Afterwards, the CA certificate is generally trusted in AD and especially trusted for Kerberos Authentication. However, it takes some time (in default configuration up to 8 hours) until all devices receive this configuration. You may speedup this process on any machine by executing
gpupdate /force, e.g. on the domain controllers.
Then you must download our Open Source SCEP client software SCEPClient. Releases with the suffix -framework use .NET Framework 4.6.2, which is pre-installed on Windows Server 2016 and compatible with newer versions. Other releases require the .NET Core 3.1 Runtime to be installed on the target systems.
Execute the following command in an elevated command prompt on a domain controller to receive a Domain Controller certificate from SCEPman:
ScepClient.exe newdccert https://your-scepman-domain/dc RequestPassword
You must add the SCEPman URL in the previous command, but keep the path
RequestPassword with the secure key/password you generated earlier.
The request password is encrypted with SCEPman's CA certificate, so only SCEPman can read it. Domain Controller certificates are only issued with the correct request password.
For a fully automated renewal of certificates, you should distribute ScepClient to all your domain controllers, together with the PowerShell script enroll-dc-certificate.ps1. Add a Scheduled task that executes the following command in a SYSTEM context:
powershell -ExecutionPolicy RemoteSigned c:\scepman\enroll-dc-certificate.ps1 -SCEPURL https://your-scepman-domain/dc -SCEPChallenge RequestPassword -ValidityThreshold (New-TimeSpan -Days 30)
This checks for existing DC certificates in the machine store. Only if there are no suitable certificates with at least 30 days validity, it uses ScepClient.exe to request a new DC certificate from SCEPman.
For WHfB, all DCs running version 2016 or newer need a Kerberos Authentication certificate. Older DCs forward authentication requests to newer DCs, thus they do not necessarily require a Kerberos Authentication certificate. It is a best practice, though, to supply them with certificates, too.