Features of domain controller authentication using two different certificates
Typically, authenticating a domain controller in a Windows environment is a standard task. However, in some situations this typical procedure may be complicated by the need to simultaneously use two certificates for different services. This problem may occur, for example, if the server must provide one certificate to domain users and another to services.
A similar problem arose in one of our projects, where the customer needed to organize user authentication in the Microsoft Windows domain using GOST certificates. Usually, such tasks are solved by using a specialized tool of the company “CRIPTO-PRO”, namely “CryptoPro Winlogon”. This product has existed on the market for a long time and is maximally developed, but sometimes unforeseen difficulties may arise during its implementation, which our company had to face. For its operation, you must properly configure the workstation, domain and domain controllers. One of the requirements when setting up a domain controller in this case is to issue a certificate on GOST.
In the case of our customer, a situation arose in which, in addition to the LDAP protocol, LDAP over SSL (LDAPS) is also used to access the domain controller using the RSA certificate already installed on the controller.
')
Minor Deviation: By default, LDAP traffic is not secure, which provides the ability to monitor traffic between the LDAP client and server. To ensure that LDAP traffic is transmitted in a secure mode, you need to use SSL / TLS technology, abbreviated as LDAPS.
LDAPS is recommended to be used in the following cases:
Thus, in our situation, LDAP over SSL / TLS (LDAPS) requires a certificate to be installed on the domain controller. To activate LDAPS, you must install a trusted certificate issued by a certification authority (trusted by the domain controller and LDAPS clients) in the local computer certificate store.
In this regard, the question arose of sharing two certificates, and on different cryptographic algorithms, subject to the use of the CryptoPro Winlogon solution, which does not imply the simultaneous use of two certificates on the domain controller.
Comment from the instructions:
Since this problem is not common, and, given that Russian cryptography is being added, to solve it, new approaches had to be found. The study of instructions and thematic forums did not give an answer. As a result, in order to solve this problem, I had to delve into its study and figure out exactly how the domain controller uses certificates.
So, how does a domain controller select a certificate?
If you need to select a certificate, the controller accesses the certificate store of the local computer and uses the certificate from this store. In most cases, there will be one certificate, and then there will be no problems. If there is more than one certificate in the store, then the controller will take the first valid certificate for server authentication. Thus, the use of two (or more) certificates simultaneously for different purposes in the storage is undesirable.
However, in Windows Server there is a possibility of legitimate use of several certificates. To do this, use a separate Active Directory Domain Services (NTDS \ Personal) repository, which stores the certificate for access via LDAPS.
In this case, the process of choosing a certificate can be described in more detail: the domain controller first applies for a certificate to a specialized store, and in the case of an unsuccessful attempt, already contacts the store of the local machine.
To view the service certificate store on the domain controller, you need to start the Microsoft Management Console (MMC) and add the Certificates snap-in. Next, using the certificate manager, select the type of certificate management.
Then you need to select your Active Directory Domain Services account.
This type of use has a number of limitations imposed by Windows. For example, the impossibility of automatically renewing such certificates for services or managing certificates from this store via the command line.
Returning to our problem, then to solve it we had only to create a booth using two certificates based on domestic and western cryptographic algorithms.
During the stand, the following steps were taken:
After successfully conducting the stand, having armed ourselves with this solution, our company went to the customer and, after hours, carried out similar tests already on the “battle scheme”, which also turned out to be successful. Since the introduction, enough time has passed, the solution we proposed turned out to be “working”, and the customer did not have any problems with its operation.
A similar problem arose in one of our projects, where the customer needed to organize user authentication in the Microsoft Windows domain using GOST certificates. Usually, such tasks are solved by using a specialized tool of the company “CRIPTO-PRO”, namely “CryptoPro Winlogon”. This product has existed on the market for a long time and is maximally developed, but sometimes unforeseen difficulties may arise during its implementation, which our company had to face. For its operation, you must properly configure the workstation, domain and domain controllers. One of the requirements when setting up a domain controller in this case is to issue a certificate on GOST.
In the case of our customer, a situation arose in which, in addition to the LDAP protocol, LDAP over SSL (LDAPS) is also used to access the domain controller using the RSA certificate already installed on the controller.
')
Minor Deviation: By default, LDAP traffic is not secure, which provides the ability to monitor traffic between the LDAP client and server. To ensure that LDAP traffic is transmitted in a secure mode, you need to use SSL / TLS technology, abbreviated as LDAPS.
LDAPS is recommended to be used in the following cases:
- if applications use Active Directory Domain Services authentication through simple bind. Simple bind transmits user data in clear form, so it is recommended to use data encryption during authentication;
- if proxy authentication is used;
- if applications require data protection when integrating with LDAP.
Thus, in our situation, LDAP over SSL / TLS (LDAPS) requires a certificate to be installed on the domain controller. To activate LDAPS, you must install a trusted certificate issued by a certification authority (trusted by the domain controller and LDAPS clients) in the local computer certificate store.
In this regard, the question arose of sharing two certificates, and on different cryptographic algorithms, subject to the use of the CryptoPro Winlogon solution, which does not imply the simultaneous use of two certificates on the domain controller.
Comment from the instructions:
Since this problem is not common, and, given that Russian cryptography is being added, to solve it, new approaches had to be found. The study of instructions and thematic forums did not give an answer. As a result, in order to solve this problem, I had to delve into its study and figure out exactly how the domain controller uses certificates.
So, how does a domain controller select a certificate?
If you need to select a certificate, the controller accesses the certificate store of the local computer and uses the certificate from this store. In most cases, there will be one certificate, and then there will be no problems. If there is more than one certificate in the store, then the controller will take the first valid certificate for server authentication. Thus, the use of two (or more) certificates simultaneously for different purposes in the storage is undesirable.
However, in Windows Server there is a possibility of legitimate use of several certificates. To do this, use a separate Active Directory Domain Services (NTDS \ Personal) repository, which stores the certificate for access via LDAPS.
In this case, the process of choosing a certificate can be described in more detail: the domain controller first applies for a certificate to a specialized store, and in the case of an unsuccessful attempt, already contacts the store of the local machine.
To view the service certificate store on the domain controller, you need to start the Microsoft Management Console (MMC) and add the Certificates snap-in. Next, using the certificate manager, select the type of certificate management.
Then you need to select your Active Directory Domain Services account.
This type of use has a number of limitations imposed by Windows. For example, the impossibility of automatically renewing such certificates for services or managing certificates from this store via the command line.
Returning to our problem, then to solve it we had only to create a booth using two certificates based on domestic and western cryptographic algorithms.
During the stand, the following steps were taken:
- A certificate of GOST has been added to the local machine certificate store for server authentication when users log on to the domain;
- NTDS \ Personal certificate store - RSA controller certificate;
- connection checked by LDAPS (it turned out to be successful);
- the process of authenticating users in the domain using a certificate is similarly verified (at this stage there were no problems either).
After successfully conducting the stand, having armed ourselves with this solution, our company went to the customer and, after hours, carried out similar tests already on the “battle scheme”, which also turned out to be successful. Since the introduction, enough time has passed, the solution we proposed turned out to be “working”, and the customer did not have any problems with its operation.
Source: https://habr.com/ru/post/255275/
All Articles