question

te-duncan avatar image
0 Votes"
te-duncan asked DaisyZhou-MSFT answered

Mitigating NTLM Relay Attacks on Active Directory Certificate Services

I have some questions left...

There is a section in the KB5005413 article which mentions manually editing the web.config file: After enabling EPA in the UI, the Web.config file created by CES role at 'windir\systemdata\CES_CES_Kerberos\web.config'...

I have only installed 'Certificate Authority Web Enrollment', not the 'Certificate Enrollment Web Service'. I cannot find a web.config there.  Is web.config editing only necessary if you have installed 'Certificate Enrollment Web Service'?

Setting the Certificate Authority Web Enrollment to only Negotiate: Kerberos, the UI warns about 'Enable Kernel-mode authentication' in Extended Protection.

The MS screenshot in KB5005413 (Certificate Authority Web Enrollment) shows that MS has checked the box for 'Enable Kernel-mode authentication' selecting 'Required' under Extended Protection.

What is correct? To disable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required' while using only 'Negotiate: Kerberos' ?

Please help/clarify - thank you

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @te-duncan,

Thank you for posting here.

Here are the answers for your references.

I have only installed 'Certificate Authority Web Enrollment', not the 'Certificate Enrollment Web Service'. I cannot find a web.config there. Is web.config editing only necessary if you have installed 'Certificate Enrollment Web Service'?
A1: Yes, from the article, we can see it is.

What is correct? To disable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required' while using only 'Negotiate: Kerberos' ?
A2: However, if you can’t disable NTLM outright then we recommend enabling EPA on AD CS services. This is achieved by:
set enable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required'.

Or you can remove 'Certificate Authority Web Enrollment' role if you do not need it.


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.