New extension will appear only in certificates issued AFTER applying KB article to CA server. Existing certificates remain unchanged. Keep in mind that SID extension is included in certificates that are issued against online templates (where subject is built from AD). Certificates issued against offline templates (where subject is supplied from request) will not contain SID extension, because offline certificates do not map to devices in AD by default. It is unclear whether your certificate was issued against online or offline template.
Manually map Windows device certificate to AD CS to response KB5014754—Certificate-based authentication changes on Windows domain controllers
Hi; After reading KB5014754—Certificate-based authentication changes on Windows domain controllers KB, I just recently apply the Windows monthly roll up security update on my Windows DCs and AD CS server. After update, I did not see my the OID field in my device certificate, I am using certificate to authenticate domain join computer with NPS server. After reading tons of document and reference in internet, I decided to use manually mapping method to map the certificate. But I am not sure if this syntax on KB5014754 is able to be used for computer device? set-aduser ‘DomainUser’ -replace @{altSecurityIdentities= “X509:<I>DC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B”} Or, I just go to the Attribute Editor on ADUC to manually add X509:<IDC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B> to the "altSecurityIdentities" field. Except mapping, do I need to add this to my DC registry key? If need, I have 4 DCs, if add the this key to all 4s?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement REG_DWORD -> 1
4 answers
Sort by: Most helpful
-
-
Kane 76 Reputation points
2023-04-13T16:39:08.7+00:00 thanks for your reply. I believed that my certificate was issued by offline.
Recently, I applied the Windows update on all DCs and the CA server but looks like the Windows update did not use the update released in May 2022. On DC server, I have these Windows update applied 2022-02 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5010419) 2022-08 Security Update for Windows Server 2012 R2 for x64-based Systems (KB5012170) 2023-03 Servicing Stack Update for Windows Server 2012 R2 for x64-based Systems (KB5023790) 2023-03 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5023765) On CA server, I have these Windows update applied. CA server is a Windows core server. Source Description HotFixID
CA001 Update KB4049065
CA001 Security Update KB4521858
CA001 Security Update KB5023788
CA001 Update KB4519979
Also, in the Event Viewer of my DC, I find the Event ID 39 in Windows System log. The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. Where "User" is a Windows laptop.User: Laptop-PC-10013$ Certificate Subject: @@@CN=Laptop-PC-10013, OU=LapTop-General, OU=Workstations, DC=mycompany, DC=com Certificate Issuer: CA001-CertificateAuthority Certificate Serial Number: 450000263502ADB69AB7C30C22000000002244 Certificate Thumbprint: 45F46A15B654C645D644A6458E6546F64514A64E
-
-
Debopam Basu 0 Reputation points
2023-07-02T20:49:50.09+00:00 Really very surprised to see that from MS there is no further update on resolution on this huge change worldwide.