If you are trying to go passwordless, you might have setup Azure passwordless onboarding however, nothing beats the convenience of having hello for business as an authentication method, in this page we will go through how to achieve this with hybrid key trust deployment.
EZCA enables you to create this without the need of running ADCS (Active Directory Certificate Services) offloading all your PKI needs to Azure.
Once your CA is created we are ready to create certificates for domain controllers. First we must trust the CA certificate in AD for Kerberos Authentication, then we will create the certificate and set it up for automatic rotation.
The fist step step is to add the CA certificate to the NTAuth Store. This will enable the certificate to be sued for authentication in Active Directory. First we must get the CA certificate from EZCA:
certutil -f -dsPublish ca-cert.cer NTAuthCA
certutil -f -dsPublish ca-root.cer RootCA
gpupdate /forcein the domain controllers and any machine that you want this to take effect sooner.
Now that we have established the domain trust, we have to create certificates for the domain controllers (This must be repeated on each domain controller). The first certificate must be created by a PKI administrator and can be either created on the EZCA portal or using our open source certificate management application
CN=server1.contoso.com OU=Your OU DC=contoso DC=com
.\EZCACertManager.exe createDC -s \"CN=server1.contoso.com OU=Domain Controllers, DC=contoso DC=com\" -d your.fqdn --caid yourCAIDFromThePortal --TemplateID YourTemplateIDFromThePortal -v 20
the following options are available for this command:
-d, --DNS Required. DNS Entry for this Domain Controller -s, --SubjectName Required. Subject Name for this certificate for example: CN=server1.contoso.com OU=Domain Controllers DC=contoso DC=com --caid Required. CA ID of the CA you want to request the certificate from --TemplateID Required. Template ID of the template you want to request the certificate from (Note: Only SCEP templates are supported) -v, --Validity Required. Certificate validity in days -g, --DCGUID Domain Controller GUID. This is only required if SMTP replication is used in your domain. Learn more: https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/requirements-doma in-controller#how-to-determine-the-domain-controller-guid --AppInsights Azure Application Insights connection string to send logs to -e, --EZCAInstance (Default: https://portal.ezca.io/) EZCA instance url --EKUs (Default: 220.127.116.11.18.104.22.168.2,22.214.171.124.126.96.36.199.1,188.8.131.52.4.1.3184.108.40.206,220.127.116.11.18.104.22.168) EKUs requested for the certificate --AzureCLI (Default: false) Use Azure CLI as authentication method
Once you have created your first certificate for the domain controller, we have to set a schedule task to run the renewal command:
.\EZCACertManager.exe renew -s \"CN=server1.contoso.com\" --LocalStore