List AD domain controller LDAPS certificates
List AD domain controller LDAPS certificates

Kerberos uses certificates to encrypt communication between the Kerberos client and the Kerberos Key Distribution Center (KDC). If you’re domain controllers use certificate for KDC you can list them by runnning this script:

$domains = (Get-ADForest).domains
$dcs = (Get-ADForest).globalcatalogs

$list = @()

$domains | Sort-Object  | % {
    $domain = $_
    $list += $dcs | ? {($_.split(".")[1..($_.split(".").length -1)] -join ".") -eq $domain} | Sort-Object 
}

$list | % { 
    Invoke-Command -ComputerName $_ -ScriptBlock {
        $certinfo = gci -path Cert:\LocalMachine\My | select * | ? { $_.EnhancedKeyUsageList -match "KDC Authentication" }

        if ($certinfo){
            if ($certinfo.length -gt 1){
		$certinfo | % {
			$cert = $_
			write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KDC cert (Thumbprint="$cert.Thumbprint" / issuer="$cert.Issuer" / expires after:"$cert.NotAfter")"
		}
            }
            else {
		write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KRB cert (Thumbprint="$certinfo.Thumbprint" / issuer="$certinfo.Issuer" / expires after:"$certinfo.NotAfter")"
            }
        }
        else {
            write-host -ForegroundColor DarkCyan "$env:COMPUTERNAME : no Kerberos certificate found"
        }
    }
}

First of all the script will list all the domain controllers in the Active Directory forest and sort them by domain name. After that, the script will list the certificate on each domain controller that have the enhanced key usage “KDC Authentication” (1.3.6.1.5.2.3.5)

<>

My Powershell script categories

List AD domain controller KDC certificates

Leave a Reply

Your email address will not be published. Required fields are marked *