Manually map Windows device certificate to AD CS to response KB5014754—Certificate-based authentication changes on Windows domain controllers

Kane 76 Reputation points
2023-04-12T18:59:37.8533333+00:00

Hi; After reading KB5014754—Certificate-based authentication changes on Windows domain controllers KB, I just recently apply the Windows monthly roll up security update on my Windows DCs and AD CS server. After update, I did not see my the OID field in my device certificate, I am using certificate to authenticate domain join computer with NPS server. After reading tons of document and reference in internet, I decided to use manually mapping method to map the certificate. But I am not sure if this syntax on KB5014754 is able to be used for computer device? set-aduser ‘DomainUser’ -replace @{altSecurityIdentities= “X509:<I>DC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B”} Or, I just go to the Attribute Editor on ADUC to manually add X509:<IDC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B> to the "altSecurityIdentities" field. Except mapping, do I need to add this to my DC registry key? If need, I have 4 DCs, if add the this key to all 4s?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement REG_DWORD -> 1

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,612 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,881 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Vadims Podāns 9,131 Reputation points MVP
    2023-04-13T08:33:16.8333333+00:00

    New extension will appear only in certificates issued AFTER applying KB article to CA server. Existing certificates remain unchanged. Keep in mind that SID extension is included in certificates that are issued against online templates (where subject is built from AD). Certificates issued against offline templates (where subject is supplied from request) will not contain SID extension, because offline certificates do not map to devices in AD by default. It is unclear whether your certificate was issued against online or offline template.


  2. Kane 76 Reputation points
    2023-04-13T16:39:08.7+00:00

    thanks for your reply. I believed that my certificate was issued by offline.

    Recently, I applied the Windows update on all DCs and the CA server but looks like the Windows update did not use the update released in May 2022. On DC server, I have these Windows update applied 2022-02 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5010419) 2022-08 Security Update for Windows Server 2012 R2 for x64-based Systems (KB5012170) 2023-03 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB5023790) 2023-03 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5023765) On CA server, I have these Windows update applied. CA server is a Windows core server. Source Description HotFixID

    CA001 Update KB4049065
    CA001 Security Update KB4521858
    CA001 Security Update KB5023788
    CA001 Update KB4519979
    Also, in the Event Viewer of my DC, I find the Event ID 39 in Windows System log. The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. Where "User" is a Windows laptop.

    User: Laptop-PC-10013$
      Certificate Subject: @@@CN=Laptop-PC-10013, OU=LapTop-General, OU=Workstations, DC=mycompany, DC=com
      Certificate Issuer: CA001-CertificateAuthority
      Certificate Serial Number: 450000263502ADB69AB7C30C22000000002244
      Certificate Thumbprint: 
    45F46A15B654C645D644A6458E6546F64514A64E
    
    0 comments No comments

  3. Kane 76 Reputation points
    2023-04-17T20:43:52.72+00:00

    hi; anyone can help.

    0 comments No comments

  4. Debopam Basu 0 Reputation points
    2023-07-02T20:49:50.09+00:00

    Really very surprised to see that from MS there is no further update on resolution on this huge change worldwide.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.