Share via

KB5014754 Enforcement Mode

Anonymous
2024-12-04T09:53:28+00:00

Hello,

I wanted to test the enforcement mode for strong certificate mapping as described in KB5014754. On the DC, I've created the DWORD registry keys StrongCertificateBindingEnforcement and CertificateMappingMethods at the locations specified in KB5014754 with the values 2 and 0x18 respectively. After rebooting the system, when trying to authenticate with a certificate without strong certificate mapping, I still receive the warning "The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). " in the event log and the authentication is not denied.

Am I missing anything to enforce the strong certificate mapping?

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-12-04T12:19:30+00:00

    Hello Samuel0,

    Thank you for posting in Microsoft Community forum.

    Do you mean no audit event logs are created on domain controllers for one month after installing the update on all the DCs and CA servers?

    So you select Take action 2 below?

    I can see above, by February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will move to Full Enforcement mode

    KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-12-04T12:35:29+00:00

    Hello,

    I want to activate the Full Enforcement Mode manually by modifying the specified registry keys for testing purposes.

    0 comments
  3. Anonymous
    2024-12-05T09:21:47+00:00

    Hello

    Thank you for your reply.

    Image

    • The SID Extension detection and validation used by the Strong Certificate Binding Enforcement has a dependency on the KDC registry key UseSubjectAltName value. The SID extension will be used if the registry value does not exist or if the value is set to a value of 0x1. The SID extension will not be used if UseSubjectAltName exists, and the value is set to 0x0.

    2 – Checks if there’s a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is denied.

    Please check if this extension is present, because authentication is not denied in your case.

    Best Regards,
    Daisy Zhou

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2024-12-23T15:42:33+00:00

    What should we do if none of our Domain controllers (2019) show the Reg key or that the hofix installed. We update out servers every month, not sure why none of them received the update. I manually downloaded KB5025229 and it prompted that "The Update is not applicable to your computer".

    Thank you

    Tom

    0 comments