Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] [OT?] Empty Subject Name (SN) in Domain Controller Kerberos Authentication Template causing alarm.
Prev Next
You are not authorized to post a reply.

AuthorMessages
BrianBUser is Offline

Posts:138

02/10/2012 4:44 PM  
All:

I have deployed the ADCS Kerberos Authentication Template to our 2008 R2 DC's. I am migrating from an old 2003 Enterprise CA using Domain controller certificates at 1024 bit encrypt to our 2008 R2 Enterprise ADCS using Kerberos Authentication certificates at 2048 bit encrypt. The migration of our DC's is staged in that I created a GPO for Auto enrollment of the new Kerberos Authentication certificate and filtered application at per DC at a time till all have migrated.

An issue was brought up about the new KA template in that, by default, the subject name attribute in the certificate is blank. This is by design as I understand it. Our security team is now questioning the certificate stating that they believe it is "Ripe for Impersonation" based solely on the fact that the sn field is blank. The new specs for this template state the following:

"...Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:

The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.
The domain name is in the subject alternative name extension of the certificate.

By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008."

So how can I explain that this template is secure for the purpose it is intended for? Or has the experience of those much learned than I been to not use this template as it is something Microsoft has put out there and should reconsider. An alternative it to issue the Domain Controller authentication template which is version 2 and 2048 bit as well.

Not sure that either (KA or DCA template) bring any more/less security than the other.

Brian Britt
Directory Services Specialist
Vanderbilt University
Information Technology Services
Office: (615) 322-4676
OCS: (615) 875-9858

[cid:image002.png@01CCE7E0.A7700A10] [cid:image004.png@01CCE7E0.A7700A10] [cid:image006.jpg@01CCE7E0.A7700A10]


BrianBUser is Offline

Posts:138

02/13/2012 1:54 PM  
If anyone has a chance to respond, I would greatly appreciate it.

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Friday, February 10, 2012 10:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT?] Empty Subject Name (SN) in Domain Controller Kerberos Authentication Template causing alarm.

All:

I have deployed the ADCS Kerberos Authentication Template to our 2008 R2 DC's. I am migrating from an old 2003 Enterprise CA using Domain controller certificates at 1024 bit encrypt to our 2008 R2 Enterprise ADCS using Kerberos Authentication certificates at 2048 bit encrypt. The migration of our DC's is staged in that I created a GPO for Auto enrollment of the new Kerberos Authentication certificate and filtered application at per DC at a time till all have migrated.

An issue was brought up about the new KA template in that, by default, the subject name attribute in the certificate is blank. This is by design as I understand it. Our security team is now questioning the certificate stating that they believe it is "Ripe for Impersonation" based solely on the fact that the sn field is blank. The new specs for this template state the following:

"...Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:

The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.
The domain name is in the subject alternative name extension of the certificate.

By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008."

So how can I explain that this template is secure for the purpose it is intended for? Or has the experience of those much learned than I been to not use this template as it is something Microsoft has put out there and should reconsider. An alternative it to issue the Domain Controller authentication template which is version 2 and 2048 bit as well.

Not sure that either (KA or DCA template) bring any more/less security than the other.

Brian Britt
Directory Services Specialist
Vanderbilt University
Information Technology Services
Office: (615) 322-4676
OCS: (615) 875-9858

[cid:image001.png@01CCEA24.87CA3500] [cid:image002.png@01CCEA24.87CA3500] [cid:image003.jpg@01CCEA24.87CA3500]


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] [OT?] Empty Subject Name (SN) in Domain Controller Kerberos Authentication Template causing alarm.



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:dilips_mon
New TodayNew Today:1
New YesterdayNew Yesterday:0
User CountOverall:5292
People OnlinePeople Online:
VisitorsVisitors:40
MembersMembers:0
TotalTotal:40
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use