Kerberos for mscertsrv_ca_handler.py

[3engel]

The mscertsrv_ca_handler.py handler doesn't support Kerberos authentications like mswcce_ca_handler.py.
However, using NTLM is a security issue and therefore Kerberos is recommended. Therefore it would be great to support kerberos also for mscertsrv_ca_handler.py.

[grindsa]

You proposal makes sense however the implementation is not that straight forward as it also requires modifications on the certsrv module. I am planning to look into it as part of next release.

As I am not an MS expert. Do you know how to enable Kerberos for on the MS Web Enrollment Service?

[3engel]

Sure. Since the MS Web Enrollment Service is using IIS (Internet Information Services / MS Web Server) the authentication configured there. In IIS under the CertSrv node there is an "Authentication" Option. "Windows Authentication" should be enabled.
In the providers list "Negotiate:Kerberos" should be configured as the only option.

It is also discribed here: https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429#:~:text=Disable%20NTLM%20Authentication%20on%20your,Restrict%20NTLM%3A%20Incoming%20NTLM%20traffic.

Many thanks for considering it.

[grindsa]

Feature made it into v0.35. Thus, closing this issue. In case you have comments feel free to reopen...