MicrosoftAnyone with issues regarding the 24H2 security baselines and the breaking of WH4B smart cards issued by internal PKI? We are using this on some of our customers and ourselves for RDP authentication on RD Gateways, and also other domain resources like SMB-shares. All smart cards are issued from standalone enterprise CA's configured as sha256 and running on windows server 2019-2022. Certificate templates are configured as per Microsoft's documentation for WH4B with RDP.
In environments with domain controllers running on Windows server 2019+ without any security baselines, we are getting an error message when wanting to authenticate with the smart cards on RDP (apologies if the translation is bad, the error was in Norwegian):
"There was an authentication error. Generation of the hash-code for the set hash-version and hash-type is not activated on the server."
In environments where we have domain controllers and member servers running 2022 with security baselines, RDP works fine. But authentication to SMB shares are for some reason failing with the smart cards. The error message here is in the lines of "there is no available domain controller". At this point it is not 100% clear if this is a mix of Windows accessing the share and software running on the Windows client computers, or just one of the two.
In both cases, we can set the following values on these registry keys on the client computers, followed by a reboot of the client computer, to get around the issues:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters" -Name "PKINITSHA1" -Value "1" -Force -Confirm:$false
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" -Name "PKINITSHA1" -Value "1" -Force -Confirm:$false
We are however unsure where and what we need to do changes for this to work, without re-enabling legacy stuff again.
