7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 42%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 98%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Check this link for help - https://community.spiceworks.com/topic/2357868-snap-ad-auth-failures-hp-bios-updates-tech-salaries-google-i-o
Manually certificate mapping for Windows device EventID39
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 46%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Kane
81
Reputation points
Hello;
I am trying to manual map the ADCS issued computer certificate to the "altSecurityIdentities" attribute of computer object in Active Directory. Subject to the information found in "KB5014754—Certificate-based authentication changes on Windows domain controllers".
After mapping, I still found that the Event ID 39 warning for some computer object. I verified the serial number of the computer certificate, it is same as what I entered in "altSecurityIdentities" attribute, the only difference is lower case. For sure, the serial number in "altSecurityIdentities" attribute is in reverse order.
pls help to give me some information to address this issue.
thanks ahead.
Windows for business Windows Client for IT Pros Directory services Active Directory
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,746 Reputation points2023-04-27T14:42:25.28+00:00 Hello there,
Event ID 39 - Source: Kerberos-Key-Distribution-Center
The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID).
New extension will appear only in certificates issued AFTER applying KB article to CA server. Existing certificates remain unchanged. Keep in mind that SID extension is included in certificates that are issued against online templates (where subject is built from AD). Certificates issued against offline templates (where subject is supplied from request) will not contain SID extension, because offline certificates do not map to devices in AD by default. It is unclear whether your certificate was issued against online or offline template.
Similar discussion here
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer--