​

KDC Certificate Issuance confirmation

1. Log in to a domain controller.
2. Press Win+R to open the Run prompt and type certlm.msc press Enter.
3. In the tree view on the left, navigate to  “Certificates (Local Computer)”, then go to “Personal”, then click Certificates.
4. Check that the Kerberos Authentication certificate exists in the right pane.

5. If you see the Domain Controller or Domain Controller Authentication certificate. We recommend publishing the Kerberos Authentication template to replace these older certificates.
   1. Refer to this article for how you can setup the (KDC) Kerberos Authentication template and leverage supersedence on these templates so that the Kerberos Authentication template can replace all the older Domain Controller and Domain Controller Authentication templates. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust

​

KDC Template Issuance validation

1. Log on to a computer within your domain.
2. Click Start, point to “All Programs”, click “Accessories”, right-click “Command Prompt”, and then click “Run as administrator”.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. At the command prompt, type certutil -dcinfo verify, and then press ENTER.
5. To confirm the existence of the KDC cert in the local computer store on the DC, review the command prompt results for 2 items. Note: To ensure the KDC cert is installed you must run this on each DC individually.
   1. Scroll to the bottom of the results and it will list the KDC certificates found and the application policies for them:
   2. Search through the results for dwErrorStatus is set to zero (0) for the KDC cert found. Anything other than zero should be reviewed for remediation.
6. Once successful validation is confirmed, the Kerberos KDC certificate is installed and operating properly.

​

Domain controller group policy for autoenrollment of the KDC certificate:

1. On a DC, open the Group Policy Management Console (gpmc.msc).
2. Create a GPO and give it a name and link it to your Domain Controllers OU.
3. Right-click the new GPO object and select Edit.
4. In the navigation pane, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
5. On the root of Public Key Policies look for Certificate Services Client - Auto-Enrollment.
6. In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties.
7. Select Enabled from the Configuration Model list.
8. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
9. Select the Update certificates that use certificate templates check box. **Select OK **and close the dialog.
10. Test the GPO by running gpupdate /force and make sure the KDC template you created above is issued to the DC.

​

KDC additional requirement for CA Certificate trust (IMPORTANT):

• This is a reminder that typically the KDC certificate is issued by either a Root or Issuing Certificate Authority typically from an on-prem PKI. Because of this, this certificate has a chain to both the issuing and root CA, therefore you must push by group policy both the Root and Issuing CA certs to the respective Certificate stores (Trusted Root Certificate Authorities and Intermediate Certificate Authorities) on the DC and all workstations so that the KDC cert is trusted by all systems, thereby creating the trust for any smartcards issued to endpoints.