Share via

Server 2025 Domain not honoring "Allow name-based strong mappings for certificates" GPO setting

Anonymous
2025-01-18T15:07:33+00:00

I am working to harden a Citrix FAS smartcard environment per the Microsoft recommendations, and I have found that the "Allow name-based strong mappings for certificates" GPO setting is not being honored on Server 2025 domain controllers.

If I use the Strong entry on the altSecurityIdentities of

X509:DC=LAB,DC=HOME,CN=HOME-DC5f0000000000029eb094b7a72c665f00000017

logins work correctly, EVEN WITH the above GPO set to Policy Tuple Example 1 pasted below.

Policy tuple example 1

Use this policy tuple to allow a strong mapping via Issuer/SubjectName AltSecID. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45;IssuerSubject

So my name mapping used this entry 5f7df4fbb9fd634f895e5a8459a432deb1843409;1.3.6.1.4.1.311.25.2;IssuerSubject which is the Thumbprint of the CA issuing the user certificates, the SID OID, and the IssuerSubject wildcard.

HOWEVER if I change the altSecurityIdentitiy to match the Issuer Subject like the GPO is looking for it doesn't map the weaker ISSUERSUBJECT as an allowed login method. The entry for my user was the following.

X509:DC=LAB,DC=HOME,CN=HOME-DCDC=LAB,DC=HOME,CN=Lab Users,CN=Jeff Riechers

So it looks like Server 2025 AD is not reading that GPO correctly and allowing the modified weaker entry for authentication.

If I re-enable the UseSubjectAltName, authentication works fine with the StrongCertificateBindingEnforcement set to 2. But trying to do any of these name mappings with the above GPO fails, but setting the built-in X509SKI or X509IssuerSerialNumber works fine.

Citrix FAS has short lived certificates for security, so since these entries get randomly generated at creation, we need to use an alternate "weaker" entry that is tied to the user common name.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

14 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-21T13:22:54+00:00

    Correct. According to the documentation that is what that GPO is for, the ability to upgrade a Weak option to be treated as strong.

    0 comments
  2. Anonymous
    2025-01-22T14:19:11+00:00

    Hello

    Greetings!

    1.Did you configure the group policy below to domain computer or domain controller?

    Computer Configuration > Administrative Template > System > KDC > “Allow name-based strong mappings for certificates”.  

    I think it should be applied to domain controllers.

    2.<Issuer CA Certificate Thumbprint>;<OID(s)>;<IssuerSubject/UpnSuffix=()> 

    Is the OID related to domain use object?
    How did you get the OID?

    3.Based on the information below, please if the certificate has any of the specified OIDs?

    Flow chart illustrating the logic of strong name-based mapping configuration. The chart starts with a decision diamond asking if the certificate's Issuer Certificate Thumbprint matches the specified thumbprint. If yes, it proceeds to check if the certificate has any of the specified OIDs. If both conditions are met, it allows a strong mapping for the certificate based on either Issuer/SubjectName AltSecID or UPNSuffix, depending on the configuration.

    This certificate should be issued to one domain user object and the OID should be related to this domain user object, am I right?

    4.The below tuple would allow a certificate logon which passes checks (1) and (2) issued to the user Bob, if the AD object for Bob has the Issuer/SubjectName AltSecID correctly configured for the certificate.  

    How did you configure the Issuer/SubjectName AltSecID for the certificate?

    Did you set altSecurityIdentities value for the specific domain user object?

    1. You can try to change "X509:DC=LAB,DC=HOME,CN=HOME-DCDC=LAB,DC=HOME,CN=Lab Users,CN=Jeff Riechers" to "X509:HOME-DC.LAB.HOMEJeff Riechers.LAB.HOME", then check if it helps.

    “X509:IssuerNameSubjectName”

    My doubt is if there is a space or any symbol (e.g. comma) between IssuerName and SubjectName?

    It seems it uses FQDN instead of DN.

    KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

    Best Regards,
    Daisy Zhou

    0 comments
  3. Anonymous
    2025-01-22T16:03:30+00:00

    I will try without the commas, but pretty sure still need those.

    0 comments
  4. Anonymous
    2025-01-22T16:45:36+00:00

    No luck. Same failures. See this on the Machine I am logging into.

    Account For Which Logon Failed:

    Security ID:		NULL SID

Account Name:		@@@CN=Jeff Riechers, OU=Lab Users, DC=HOME, DC=LAB

Account Domain:		-

    And getting this on my AD.

    The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

      User: jriechers

      Certificate Subject: @@@CN=Jeff Riechers, OU=Lab Users, DC=HOME, DC=LAB

      Certificate Issuer: HOME-DC

      Certificate Serial Number: 170000007C276668E35199306F00000000007C

      Certificate Thumbprint: 53FCF5A11AFF7243EBBD4DF4AC188F9043082B98

      Certificate Issuance Policies:

    0 comments
  5. Anonymous
    2025-01-23T11:41:00+00:00

    Hello

    Greetings!

    Please check or confirm the five points one by one I mentioned above.

    Best Regards,
    Daisy Zhou

    0 comments