0

I have a number of Active Directory Domain User Accounts, which function essentially as service accounts. I'd like to avoid having to rotate the passwords for all of those domain user accounts, and rather allow/force those domain user accounts to authenticate via certificates (AD CS) when the domain user accounts are used to run scripts/scheduled tasks/RDP connections.

I've installed AD CS following https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129709(v=ws.11), but am getting lost somewhere trying to validate that domain user accounts are able to authenticate via AD CS rather than domain user/password.

How can I implement a structure where domain user accounts can authenticate to domain-joined servers using certificates (AD CS) rather than domain user/password?

For the record, I'm still running Server 2012R2 on all my domain controllers, and currently have AD CS installed on one of the two synchronized domain controllers.

cuddlydingo
  • 1
  • Is there a reason you're not using Managed Service Accounts? https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009 – Davidw Sep 10 '21 at 03:38
  • Well, you certainly can - that's the principle behind one of the more recent exploits -- though that was principally an NTLM replay attack. You should know that the task scheduler does not support certificate based authentication. – Semicolon Sep 10 '21 at 04:32
  • Couldn't use a gMSA for an automated RDP connection - they specifically cannot login in that fashion -- likely one reason why (at least in that case) a gMSA is not used. – Semicolon Sep 10 '21 at 04:34
  • A more up to date link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises – Davidw Sep 10 '21 at 04:48
  • @Davidw I was staying away from MSAs because I wanted to be able to control the user account via AD DS Groups (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises), and because I wanted the user account to be able to run with appropriate permissions on any domain-joined computer, rather than a specific single computer. Can MSAs be set up so that one MSA can target any domain-joined machine? – cuddlydingo Sep 10 '21 at 14:04

0 Answers0