All posts tagged Active Directory Certificate Services

The Case for Short-Lived Certificates in Enterprise Environments

Digital certificates, issued by an internal, private Certification Authority (CA) like Microsoft Active Directory Certificate Services (AD CS), are commonly used in enterprise environments for user and device authentication for workloads such as VPN, Wi-Fi (802.1x), System Center Configuration Manager (SCCM), IPsec, and more. But how long should a user or device authentication certificate be valid? This question is increasingly critical as organizations strive to balance security and operational efficiency. Short-lived certificates, typically valid for weeks or months rather than years, are gaining traction as a powerful tool to enhance security. By reducing the window of opportunity for attackers to exploit compromised credentials, short-lived certificates offer a proactive approach to mitigating risks while aligning with evolving security best practices and the needs of modern IT infrastructures.

What is a Certificate?

A digital certificate is a document that binds an identity to an asymmetric key pair (public key and private key). Certificates offer strong, phishing-resistant authentication that improves security and assurance for users and devices authenticating to Microsoft Active Directory (AD). When a certificate is issued, an administrator decides how long the certificate will be valid. The criticality of this setting is often overlooked.

Certificate Lifetime

Administrators must define the certificate’s validity period when creating a certificate template in AD CS or an Intune PKCS or SCEP device configuration policy. Most commonly, administrators select the default one-year validity period. However, public CAs are trending toward shorter certificate lifetimes, and strong consideration should be given to their use in private enterprise deployments.

Current Standards

Today, the maximum certificate lifetime for a publicly issued TLS certificate is 398 days (approximately 13 months). This standard is imposed by the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI). They established the 398-day certificate lifetime mainly in response to the previous decade’s plethora of SSL/TLS vulnerabilities.

Challenges

Having certificates with long lifetimes poses significant challenges for administrators when responding to key compromise events or zero-day vulnerabilities. This may necessitate urgent certificate replacement, often involving manual intervention. To address these challenges and promote automation, some public CAs like Let’s Encrypt issue certificates with much shorter lifetimes than one year.

Public CA Certificates

Shorter lifetimes for public SSL/TLS certificates have numerous positive security benefits. Short-lived certificates provide agility to update cryptography settings more rapidly than long-lived certificates. Also, the short lifetime of the certificate is beneficial if the private key is compromised because it limits the amount of time an attacker can exploit the stolen key, limiting exposure and reducing potential damage. These security benefits have driven significant changes in public CA practices, as seen in today’s standards.

47 Days

Recently, I wrote about a new directive from the CA/Browser Forum, which adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. The maximum lifetime for public TLS certificates will be gradually reduced to allow the industry to adopt short-lived certificates.

Enterprise CA Certificates

Private enterprise PKI deployments like AD CS are not required to adhere to CA/Browser Forum mandates. Organizations are free to manage their internal PKI however they choose. However, examining industry trends and ensuring that security best practices are aligned as much as possible is crucial. While public CAs set the pace, private enterprise PKI can adopt similar strategies to bolster security.

AD Authentication

As stated previously, many positive security benefits are associated with short-lived certificates, especially for authentication to Active Directory.

PKINIT

PKINIT is an extension to the Kerberos protocol that enables certificate-based authentication with Active Directory (AD). You can read about the details here, but PKINIT allows a principal (user or device) to authenticate to AD by simply demonstrating control of the private key. Thus, protecting the private key is vital.

TPM

Enrolling certificates in a Trusted Platform Module (TPM) is the best way to ensure private keys remain private. No one, including administrators, can export private keys protected by TPM. Administrators should ensure TPM enrollment for client authentication certificates whenever possible.

Guidance

Today, I recommend that my customers issue end entity user and device authentication certificates with a lifetime of no more than one year for 2048-bit RSA certificates with private keys stored on TPM. However, there are important considerations and compelling advantages to using much shorter lifetime certificates.

Best Practice

General use client authentication certificates should be enrolled to TPM without exception and have a valid lifetime of no more than one year. However, there is still value in using shorter lifetime certificates, even with TPM. For example, short-lived certificates ensure timely renewal, which can be helpful when implementing changes to certificate templates. A perfect example of this is the changes required to support KB5014754. Administrators may wish to use certificates with validity periods of less than one year to ensure timely replication of certificate settings changes and to provide more frequent key rotation.

Non-TPM

There may be scenarios where a client authentication certificate must be issued to a device without a TPM. Examples include virtual machines without TPM, VDI deployments, and legacy devices. These cases should be treated as exceptions and managed accordingly. Consider shortening the lifetime of non-TPM certificates to 90 days or less.

Privileged Users

Administrators or other privileged accounts enrolling for certificates can benefit from even shorter validity periods. Consider issuing client authentication certificates to these users with certificate lifetimes of 30 days or less.

Considerations

Short-lived certificates aren’t always ideal in all cases. For example, consider a scenario where a user or device is offline for a prolonged period, such as extended vacations, maternity or paternity leave, or sabbaticals. Users may experience issues accessing resources after returning from an extended absence. Of course, if they can re-enroll for certificates, this shouldn’t be a problem. For AD CS, it means connectivity to an enterprise issuing CA server. Intune-managed endpoints simply need Internet access to obtain a new certificate.

Automation

Working with short-lived certificates manually is infeasible. Automation is the key to success with short-lived certificates. For client authentication certificates issued on-premises, enabling certificate autoenrollment via group policy ensures that all domain-joined devices enroll and renew their certificates automatically. Certificates deployed and managed using Microsoft Intune are automated by default.

Summary

The next time you create a certificate template in AD CS or Intune, consider the certificate lifetime. Recommended best practice is no more than one year validity period for 2048-bit RSA end-entity certificates with hardware-backed key storage. However, consider shorter validity periods for those cases where it makes sense. Prioritize TPM enrollment and put additional controls in place for exceptions. Ensure automated enrollment and renewal are in place to reduce administrative overhead. Following the guidance outlined above, your organization will reduce its attack surface and limit exposure to compromised certificates.

More Information

If you’d like to learn more about implementing short-lived certificates in your organization, fill out the form below, and I’ll provide more information.

References

Digital Certificates for Strong Authentication

Digital Certificates and TPM

Drawbacks of Multifactor Authentication

Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

1 Comment
by Richard M. Hicks on April 28, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, CBA, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Compliance, Cryptography, Enterprise, enterprise mobility, Group Policy, Infrastructure, Intune, Kerberos, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, PKCS, PKI, Professional Services, Remote Access, SCCM, Security, SSL, SSL and TLS, System Center Configuration Manager, TLS, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2025

https://directaccess.richardhicks.com/2025/04/28/the-case-for-short-lived-certificates-in-enterprise-environments/

Always On VPN Intermittent 13801 Error

Always On VPN error 13801 is common when establishing an IKEv2 VPN connection. Typically, the issue is related to a configuration error or a problem with certificate deployment. However, administrators may encounter the 13801, an IKE authentication error, intermittently. Configuration errors are binary. If there is a misconfiguration, IKEv2 never works at all. However, a configuration error seems unlikely since the connection works occasionally yet fails at other times.

Client Authentication

The minimum application policy (Enhanced Key Usage, or EKU) requirement for the device authentication certificate for IKEv2 is Client Authentication (1.3.6.1.5.5.7.3.2). When intermittent 13801 errors occur, administrators may find multiple certificates in the local computer certificate store with the Client Authentication EKU issued by different certificate authorities. Commonly, Intune-managed Windows devices may include several certificates with Client Authentication.

Certificate Selection

When Windows attempts to establish an Always On VPN IKEv2 connection, and there are multiple certificates in the local computer certificate with Client Authentication defined, Windows must choose one certificate to use for the connection. If Windows chooses incorrectly, you will receive the 13801 IKE authentication failure error. If Windows selects the right one, the connection succeeds.

Resolution

There are several ways to resolve this issue. The best way is to update the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). When Windows encounters multiple client authentication certificates in the local computer certificate store, it will prefer any certificate with the IP security IKE intermediate application policy for IKEv2 VPN connections. Including the IP security IKE intermediate application policy on the Always On VPN device authentication certificate ensures proper certificate selection when multiple client authentication certificates are present.

Note: This change must be made to the Intune certificate enrollment template when using Intune with PKCS or SCEP.

Certificate Template

To update an existing Always On VPN device authentication certificate to include the IP security IKE intermediate application policy, open the certificate templates management console (certtmpl.msc) and perform the following steps.

  1. Right-click the VPN device authentication certificate template and choose Properties.
  2. Select the Extensions tab.
  3. Click on Application Policies.
  4. Click Edit.
  5. Click Add.
  6. Select the IP security IKE intermediate application policy.
  7. Click Ok.
  8. Click Ok.
  9. Click Ok.

Once complete, any certificates issued after this change is applied will now include the IP security Ike intermediate application policy.

Force Renewal

Administrators may wish to update all certificates immediately rather than wait until they renew to receive the new setting. The course of action depends on how certificates are issued.

On-Premises

When issuing certificates using Active Directory Certificate Services (AD CS) on-premises, right-click the Always On VPN device authentication certificate template and choose Reenroll All Certificate Holders. This will force all domain-joined clients with Autoenroll permissions on the template to renew their certificate on their next enrollment cycle, regardless of the certificate’s lifetime.

Intune

Follow the steps below to force re-enrollment for all certificate holders when deploying certificates using Intune.

SCEP Add the IP Security IKE Intermediate application policy to the Intune VPN policy. After this change is applied, Intune will reenroll all endpoints.

PKCS – A new Intune device configuration policy must be created that includes the IP security IKE intermediate application policy. Assign the new policy and remove the old one to replace all certificates.

PowerShell

It’s also possible to resolve this issue using PowerShell. Administrators can use the Set-VpnConnection PowerShell cmdlet to select a certificate based on the root certification authority (CA) or a specific custom application policy defined on the Always On VPN device authentication certificate. Be sure to add the -AllUserConnection switch when working with the device tunnel.

Root CA

Open a PowerShell command window and run the following command.

$RootCA = Get-Child-Item -Path Cert:\LocalMachine\My\<thumbprint of root CA certificate>
Set-VpnConnection -Name <name of VPN profile> -MachineCertificateIssuerFilter $RootCA

Application Policy

Open a PowerShell command window and run the following command.

Set-VpnConnection -Name <name of VPN profile> -MachineCertificateEKUFilter <OID>

Note: When using a custom application policy Windows will return a warning message stating the EKU could not be validated. You can safely disregard this warning.

Intune Remediation

While running PowerShell commands locally might be helpful for troubleshooting and targeted evaluation testing, deploying settings via PowerShell at scale is challenging. For those organizations managing their devices using Microsoft Intune, I’ve published a few detection and remediation scripts on GitHub to perform these tasks.

Summary

The intermittent Always On VPN 13801 IKE authentication credentials are unacceptable error message is best resolved by updating the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). Although using PowerShell also works, it doesn’t scale effectively. SCCM or Intune remediations can help, but I’d encourage you to update the certificate template as best practice instead.

Additional Information

Troubleshooting Always On VPN Error 13801

Troubleshooting Always On VPN Error 13806

Troubleshooting Always On VPN Error 13868

Leave a comment
by Richard M. Hicks on February 3, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, Deployment, device tunnel, Enterprise, enterprise mobility, IKEv2, Intune PFX Connector, Microsoft, Mobility, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 3, 2025

https://directaccess.richardhicks.com/2025/02/03/always-on-vpn-intermittent-13801-error/

November Microsoft Security Updates and AD CS

As I do each month on Patch Tuesday, I look through the list of published vulnerabilities in search of things that might interest Always On VPN Administrators. Frequently there are updates for things like Routing and Remote Access Service (RRAS) or various VPN protocols. The good news is that the November 2024 security updates include NO such vulnerabilities! However, a vulnerability has been disclosed that affects Active Directory Certificate Services (AD CS) on which Always On VPN often relies on for user and device authentication.

Certificate Templates

AD CS Enterprise certificate authorities are closely integrated with Active Directory and use certificate templates that administrators can publish for users and devices to enroll. These templates control properties of the issued certificates, such as the subject name, usage, key length, enrollment policies, and much more. There are several different template versions available, versions 1 through 4. Version 1 templates are legacy templates that don’t provide many capabilities. Later versions include more features and capabilities.

CVE-2024-49019

The November 2024 Microsoft security updates include CVE-2024-49019, a privilege escalation vulnerability recently discovered in AD CS. Specifically, this vulnerability affects only legacy schema version 1 certificate templates published on a certificate authority (CA) server that include the option to supply the subject name in the certificate request. A typical example of this would be the default Web Server template.

Exploitation

The Web Server template does not include the Client Authentication Enhanced Key Usage (EKU) by default, which is required to authenticate to Active Directory. However, this vulnerability allows an attacker with enrollment privileges on this template to supply additional EKUs in the request and the certificate issued will include those capabilities. This allows a non-privileged attacker to quickly elevate to a domain or enterprise administrator by supplying a known administrator’s User Principal Name (UPN) along with the Client Authentication EKU in the certificate request. As version 1 templates cannot enforce CA manager approval for enrollment, an attacker can easily leverage this vulnerability if permissions allow, leading to complete domain compromise.

Note: This applies to any schema version 1 certificate template published with the subject name supplied in the request, not just the Web Server template.

Complications

Making matters worse, the Web Server template is one of the default certificate templates published automatically when a Windows Server CA is deployed. The best practice is to disable the publishing of any certificate templates by default when a new CA is provisioned. However, it requires additional configuration that is often overlooked. In addition, many administrators use overly broad enrollment permissions for this template, such as Domain Users, Domain Computers, or Authenticated Users, further broadening the attack surface.

Mitigation

Administrators should update their CA servers as soon as possible. If you cannot deploy this update immediately, consider replacing any schema version 1 templates with version 2 templates, which are not vulnerable. Also, as best practice, ensure that any certificate templates that allow the subject name to be supplied in the request also requires CA manager approval or additional authorized signatures for enrollment.

Investigation

Administrators should review enrollment privileges for all published certificate templates to ensure the least privileged access. In addition, administrators should audit all valid certificates issued with schema version 1 certificate templates that allow the subject name to be supplied in the request immediately to look for indicators of compromise. Review issued certificates for unauthorized EKUs or unusual subject names, especially those with a UPN.

Additional Information

Microsoft November 2024 Security Updates

CVE-2024-49019 – AD CS Elevation of Privilege Vulnerability

EKUwu: Not Just Another AD CS ESC – TrustedSec

Leave a comment
by Richard M. Hicks on November 13, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, ADCS, administration, Always On VPN, AOVPN, authentication, Certificate Authority, Certificate Services, certificates, Enterprise, Microsoft, Operational Support, PKI, public key infrastructure, Security, Security Update, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 13, 2024

https://directaccess.richardhicks.com/2024/11/13/november-microsoft-security-updates-and-ad-cs/

« Older Posts
Newer Posts »