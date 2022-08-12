Microsoft is trying to tighten the screws in the fight against gold certificates – unfortunately not entirely successfully.

The danger posed by golden certificates is due to the useful function that allows clients (both users and computers) to log on to the domain controller in using the PKINIT procedure with a certificate and associated private key using Kerberos, and thus a Kerberos without using the password -Can get ticket.

The term “golden certificate” was coined by Christoph Falta based on the golden tickets for Kerberos registration in the Active Directory and has already been discussed in detail in an earlier article. Passwordless login is used, among other things, for smart card logon and Windows Hello for Business. However, PKINIT is also active if none of these login methods are used productively in the relevant AD.

Focus on network in Active Directory

The requirements that a certificate must meet to be eligible for a PKINIT Kerberos login are detailed in the “PKINIT Login Certificate Requirements” box. From a security perspective, the key issue is how, after basic validation, the domain controller maps the certificate to a specific AD computer or user account for which a Kerberos ticket is created. The possible ways of this process, also known as certificate mapping, are described in the “Mapping of certificates on Active Directory accounts” box.