Share via

KB5014754: Certificate-based authentication changes on Windows domain controllers- KB not found for server 2022 or 2019

Anonymous
2025-01-06T11:00:08+00:00

Hi Team,

This is regarding the update from Microsoft about the article KB5014754: Certificate-based authentication changes on Windows domain controllers.

 As per the MS article this update addresses critical security vulnerabilities (CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923) that could potentially allow unauthorized privilege escalation through certificate-based authentication.

"We have a Domain Controller (DC) running on Server 2022, and a PKI server running on Server 2019. Will this configuration have any impact on our environment? If so, what are the KB articles that address this issue for Server 2022 and Server 2019? as we see that KB5014754 is application to server 2012 and 2016 only.

Additionally, please clarify whether installing the KB article alone is sufficient, or if we also need to enable any audits to capture relevant events and take appropriate action.

Thanks

Fahad

Windows for business Windows Server Directory services Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-06T11:50:28+00:00

    Hello Fahad Noaman,

    Thank you for posting in Microsoft Community forum.

    "We have a Domain Controller (DC) running on Server 2022, and a PKI server running on Server 2019. Will this configuration have any impact on our environment? If so, what are the KB articles that address this issue for Server 2022 and Server 2019? as we see that KB5014754 is application to server 2012 and 2016 only.

    A1: I can see the article is applied Windows server 2022 and Windows server 2019.

    Additionally, please clarify whether installing the KB article alone is sufficient, or if we also need to enable any audits to capture relevant events and take appropriate action.

    A2: Yes, you can follow Microsoft's article instructions.

    KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2025-01-06T12:54:32+00:00

    Hi Daisy,

    Thank you for your previous response.

    Could you please confirm the necessary actions that should be taken after events 39, 40, and 41 are generated on DC?

    Best regards,

    Fahad

    0 comments
  3. Anonymous
    2025-01-07T09:15:02+00:00

    Hello

    Greetings!

    If you see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) before September 10, 2025 Windows update.

    Suggestion:

    1.The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user through explicit mapping. 

    2.You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage.

    Event ID 40

    Certificate predates account The certificate was issued to the user before the user existed in Active Directory and no strong mapping could be found. This event is only logged when the KDC is in Compatibility mode.

    Suggestion:

    Reissue certificates to the users and Certificate mappings.

    Event ID 41
    Users SID does not match Certificate SID

    The SID contained in the new extension of the users certificate does not match the users SID, implying that the certificate was issued to another user.

    Suggestion:

    1.Reissue certificates with the new SID extension and Certificate mappings.

    2.If customers cannot reissue certificates with the new SID extension, we recommend that you create a manual mapping by using one of the strong mappings described above. You can do this by adding the appropriate mapping string to a users altSecurityIdentitiesattribute in Active Directory.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2025-01-07T14:06:48+00:00

    Hello Daisy Zhou,

    Thank you for the detailed answer above. Could you also assist me in finding a list of users and provide guidance on how to fix the certificate issue for these users using a script or any other suitable method?

    Thanks

    Fahad

    0 comments
  5. Anonymous
    2025-01-08T11:24:44+00:00

    Hello

    Greetings!

    For finding a list of users, you can check for Event ID 39,40 or 41.

    You should reissue certificate if needed and set Certificate mappings manually.

    Or set altSecurityIdentitiesattribute in Active Directory.

    Best Regards,
    Daisy Zhou

    0 comments