Can I use AD CS to Authenticate Domain Users Instead of a Password?

cuddlydingo

1/10/23, 2:42 AM

I have a number of Active Directory Domain User Accounts, which function essentially as service accounts. I'd like to avoid having to rotate the passwords for all of those domain user accounts, and rather allow/force those domain user accounts to authenticate via certificates (AD CS) when the domain user accounts are used to run scripts/scheduled tasks/RDP connections.

I've installed AD CS following https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129709(v=ws.11), but am getting lost somewhere trying to validate that domain user accounts are able to authenticate via AD CS rather than domain user/password.

How can I implement a structure where domain user accounts can authenticate to domain-joined servers using certificates (AD CS) rather than domain user/password?

For the record, I'm still running Server 2012R2 on all my domain controllers, and currently have AD CS installed on one of the two synchronized domain controllers.

0 + 0

rdp

active-directory

authentication

windows-server-2012-r2

active-directory-adcs

Davidw

1/10/23, 3:38 AM

Is there a reason you're not using Managed Service Accounts? https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009

Semicolon

1/10/23, 4:32 AM

Well, you certainly can - that's the principle behind one of the more recent exploits -- though that was principally an NTLM replay attack. You should know that the task scheduler does not support certificate based authentication.

Semicolon

1/10/23, 4:34 AM

Couldn't use a gMSA for an automated RDP connection - they specifically cannot login in that fashion -- likely one reason why (at least in that case) a gMSA is not used.

Davidw

1/10/23, 4:48 AM

A more up to date link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises

cuddlydingo

1/10/23, 2:04 PM

@Davidw I was staying away from MSAs because I wanted to be able to control the user account via AD DS Groups (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises), and because I wanted the user account to be able to run with appropriate permissions on any domain-joined computer, rather than a specific single computer. Can MSAs be set up so that one MSA can target any domain-joined machine?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can I use AD CS to Authenticate Domain Users Instead of a Password?

TH: ฉันสามารถใช้ AD CS เพื่อตรวจสอบสิทธิ์ผู้ใช้โดเมนแทนรหัสผ่านได้หรือไม่

RO: Pot folosi AD CS pentru a autentifica utilizatorii de domeniu în loc de o parolă?

RU: Можно ли использовать AD CS для аутентификации пользователей домена вместо пароля?

VI: Tôi có thể sử dụng AD CS để xác thực người dùng miền thay vì mật khẩu không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.