Kerberos uses certificates to encrypt communication between the Kerberos client and the Kerberos Key Distribution Center (KDC). If you’re domain controllers use certificate for KDC you can list them by runnning this script:
$domains = (Get-ADForest).domains $dcs = (Get-ADForest).globalcatalogs $list = @() $domains | Sort-Object | % { $domain = $_ $list += $dcs | ? {($_.split(".")[1..($_.split(".").length -1)] -join ".") -eq $domain} | Sort-Object } $list | % { Invoke-Command -ComputerName $_ -ScriptBlock { $certinfo = gci -path Cert:\LocalMachine\My | select * | ? { $_.EnhancedKeyUsageList -match "KDC Authentication" } if ($certinfo){ if ($certinfo.length -gt 1){ $certinfo | % { $cert = $_ write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KDC cert (Thumbprint="$cert.Thumbprint" / issuer="$cert.Issuer" / expires after:"$cert.NotAfter")" } } else { write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KRB cert (Thumbprint="$certinfo.Thumbprint" / issuer="$certinfo.Issuer" / expires after:"$certinfo.NotAfter")" } } else { write-host -ForegroundColor DarkCyan "$env:COMPUTERNAME : no Kerberos certificate found" } } }
First of all the script will list all the domain controllers in the Active Directory forest and sort them by domain name. After that, the script will list the certificate on each domain controller that have the enhanced key usage “KDC Authentication” (1.3.6.1.5.2.3.5)
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
List AD domain controller KDC certificates