The Enterprise Read-Only Domain Controllers group is not included in the default groups that are defined in the Domain Controller certificate template. This prevents them from enrolling for a domain controller certificate and from being automatically enrolled.
A domain controller requires a Domain Controller certificate to authenticate a logon that uses a smart card. Because the RODCs cannot obtain the domain controller certificate by default, they cannot authenticate a smart card logon by default.
Impact
Smart card logons that are authenticated by an RODC fail. An error message appears that states that the operation is not supported.
Solution
To make it possible for an RODC to authenticate smart card logons, modify the following certificate templates:
- On the Domain Controller certificate template, allow Enroll permissions for the ERODC group.
- On the Domain Controller Authentication and Directory E-Mail Replication certificate templates, allow Enroll and Autoenroll permissions for the ERODC group. AllowRead permission for the Authenticated Users group.
No comments:
Post a Comment