{"id":1301,"date":"2025-10-18T20:30:03","date_gmt":"2025-10-18T18:30:03","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1301"},"modified":"2025-10-18T20:30:03","modified_gmt":"2025-10-18T18:30:03","slug":"when-your-enterprise-pki-becomes-one-of-your-enemies-part-8","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1301","title":{"rendered":"When your Enterprise PKI becomes one of your enemies (Part 8)"},"content":{"rendered":"\n

So the security updates for October has arrived and \u201cAllowNtAuthPolicyBypass\u201d registry key is now gone from kdcsvc.dll – All CAs that issue certificates to be used for PKINIT against Active Directory must now be trusted in NTAuth.

Please do not add CA’s to NTAuth that you don’t trust, as any one who can issue a certificate with subject of choice from those still can impersonate any user account within your forest e.g. a DA\/EA and this is regardless of StrongCertificateBindingEnforcement and NTAuthEnforcement.

A good solution to keep NTAuth safe is NTAuthGuard by Carl S\u00f6rqvist.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Read more about the NTAuthGuard solution \u2013 how to set it up and get all the required content from Carl\u2019s GitHub https:\/\/github.com\/CarlSorqvist\/PsCertTools\/tree\/main\/NTAuthGuard<\/a><\/p>\n\n\n\n

But as I use to say, there is always a secret key – as with “StrongCertificateBindingEnforcement” another key instead of “AllowNtAuthPolicyBypass” can be used to “unsupported so far I know” turn off the NTAuthEnforcement requirement. You will find it by using:<\/p>\n\n\n\n

.\\strings.exe -n 5 -o -f 671232 C:\\Windows\\system32\\kdcsvc.dll<\/code><\/pre>\n\n\n\n
But do not use it, you will be subject to vulnerabilities, however this new regkey has two modes:<\/p>\n\n\n\n
    \n
  1. if set to “0” it will just silently ignore if the CA is in NTAuth or not<\/li>\n\n\n\n
  2. if set to “1”  it will log Event 45 for KDC<\/li>\n<\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/p>\n\n\n\n
    By the way my session at HIPConf25 on this subject is now available online for everyone to watch:
    Enterprise PKI Today: Friend or Foe? – Hip Conf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    So the security updates for October has arrived and \u201cAllowNtAuthPolicyBypass\u201d registry key is now gone from kdcsvc.dll – All CAs that issue certificates to be used for PKINIT against Active Directory must now be trusted in NTAuth. Please do not add CA’s to NTAuth that you don’t trust, as any one who can issue a … <\/p>\n
    Continue reading “When your Enterprise PKI becomes one of your enemies (Part 8)”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[36,1],"tags":[30],"class_list":["post-1301","post","type-post","status-publish","format-standard","hentry","category-public-key-infrastructure-pki","category-uncategorized","tag-pki"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1301"}],"version-history":[{"count":3,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1301\/revisions"}],"predecessor-version":[{"id":1306,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1301\/revisions\/1306"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}