Windows-itpro-docs: NTAuth note still wrong
The change to the NTAuth note (issue and merge) still got it wrong. It‘s not the root CA certificate that needs to go into the NTAuth container. It‘s the DC certs‘ issuing CA. That‘s important to note, because that’s a different CA/certificate in multi-tier PKIs.
For the best PKI technical reference, grab this book .
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 800b8090-65a9-da9f-a930-1f80dc9f2c2d
- Version Independent ID: b4495b6a-4ca5-7aa1-7964-ef6e19275c4e
- Content: Configure Hybrid key trust Windows Hello for Business - Microsoft 365 Security
- Content Source: windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
- Product: w10
- GitHub Login: @mapalko
- Microsoft Alias: mapalko
Skorfulose
All 9 comments
@Skorfulose - Thank you for your feedback. Can you please confirm if the below note will be the correct one? Or please let me know how that should look like so that I can create the PR for the same.
The domain controller's certificate must chain to a root in the NTAuth store. By default, the Domain Controller Certificate issuing CA certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
joinimran
on 30 Dec 2020
*Please note: I am not an expert or experienced in this topic, so I might not know enough facts to be certain what the correct phrasing should be.
@joinimran : if I have read the text correctly, you are proposing this change:
- By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store.
+ By default, the Domain Controller Certificate issuing CA certificate is added to the NTAuth store.
The point I find to be a bit challenging for my understanding, is the effective meaning of: issuing
For me to make sense of that, it would need to be either:
- "the CA Certificate issued by the Domain Controller"
— or — - "the Domain Controller Certificate Authority's root certificate"
Maybe I could ask @JohanFreelancer9 for a quick feedback, in case this would be more clear to him. For all I know, your current suggestion could be correct.
edit: Feedback from the ticket author, @Skorfulose , would also be helpful.
illfated
on 30 Dec 2020
@illfated - valid point. However, I would prefer to wait for @Skorfulose and @joinimran's feedback and the PR to be created. Thanks.
JohanFreelancer9
on 31 Dec 2020
@illfated , @JohanFreelancer9 - I am also waiting for feedback from @Skorfulose. This rephrasing is a bit confusing for me as well.
@Skorfulose - Waiting for your feedback to further look into these issues.
Thanks
Imran.
joinimran
on 31 Dec 2020
Hey all, thanks for your effort on this. I think clarification on this technical peculiarity will help others to better troubleshoot deployment problems.
The complexity describing the NTAuth issue comes from the multiple possible scenarios:
- You could have a simple one-tier Microsoft PKI (i.e. just a Root CA, directly issuing your DC certs)
- You could have a more complex multi-tier Microsoft PKI (i.e. the DC cert Issuing CA chaining to an Intermediate CA, chaining to a Root CA)
- You could have the same one-tier or multi-tier setups using a 3rd party PKI
So to reflect that, here is my proposal:
- The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+ The CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
Maybe you might also want to add instructions how to check:
certutil -viewstore -enterprise NTAuth
Single-tier PKI
└─ Root / Issuing Certificate Authority <-- This certificate is required in the NTAuth store
└─ Domain Controller Certificate
Multi-tier PKI
└─ Root Certificate Authority
└─ Intermediate Certificate Authority
└─ Issuing Certificate Authority <-- This certificate is required in the NTAuth store
└─ Domain Controller Certificate
Thank you very much for the detailed feedback, @Skorfulose . Those points seem quite legit to me, aside from the fact that I am not an expert in this topic.
@joinimran : Do you find the reply to be practical enough to you, so you could make a Pull Request based on that material?
illfated
on 8 Jan 2021
Thanks, @Skorfulose for sharing the detailed information. This was something complex which you have made simple. I have updated the doc and created a PR for the same. Let's see how the doc author will respond.
joinimran
on 9 Jan 2021
(ref. #8936 )
illfated
on 9 Jan 2021
Closing via #8936
Thank you
nam31
on 22 Mar 2021
Related issues
zjalexander
·
3Comments
ruffy91
·
3Comments
marcnil815
·
3Comments
ang216
·
3Comments
KamilSzafarczyk
·
3Comments