If KB5023788 support the Full Enforcement mode while using Certificate-based authentication ?

Question

Hi;

I am running Windows Server 2012R2 as DC and 1 Windows Server 2016 as Active Directory Certificate Service. My laptop is using certificate-based authentication with NPS.

I am doing some update on DC and the Certificate Authority server in order to fulfill the requirement posted here https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_fullenforcemode

On my Windows Server 2016, I patched it with a Security Update KB5023788, and all Domain Controllers are patched up-to-date.

How can I make sure that I have the strong (secure) certificate mapping already to complete the authentication?

Answer 1

From the document above;
Once you have installed the May 10, 2022 Windows updates, devices will be in Compatibility mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will occur as expected. However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and Certificate Backdating registry key is not present or the range is outside the backdating compensation, authentication will fail, and an error message will be logged. If the Certificate Backdating registry key is configured, it will log a warning message in the event log if the dates falls within the backdating compensation.

After you install the May 10, 2022 Windows updates, watch for any warning message that might appear after a month or more. If there are no warning messages, we strongly recommend that you enable Full Enforcement mode on all domain controllers using certificate-based authentication. You can use the KDC registry key to enable Full Enforcement mode.

So you can add the keys manually to registry as needed but after 11/14/2023 the keys will be unsupported after installing updates for Windows released on November 14, 2023, or later, which will enable Full Enforcement mode.

-

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

The registry keys will not exist by default. If you want them then you must add them manually, but the keys will be unsupported after installing updates for Windows released on November 14, 2023, or later, which will enable Full Enforcement mode.

The event log 39 is a warning if the KDC is in Compatibility mode, its an error when the KDC is in Enforcement mode.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

You could check;

StrongCertificateBindingEnforcement = 2

CertificateMappingMethods = 0x18

CertificateBackdatingCompensation is not set

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 4

thank you!

Subject to my finding, the mentioned keys can be found in DC registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

If I do not see those keys, does it mean my server did not update properly? Should all DCs need the same keys?

Does it need apply the keys onto the Certificate Authority server?

Answer 5

could you refer any link to talk about the concept of these three value, when should I use it?

StrongCertificateBindingEnforcement = 2

CertificateMappingMethods = 0x18

CertificateBackdatingCompensation is not set