Share via

KB5014754 - ADCS

Anonymous
2023-10-16T15:30:28+00:00

Hello all,

My servers have latest windows updates. I still do not see the Object Identifier (OID) (1.3.6.1.4.1.311.25.2) which was supposed to be added to new certificates automatically according to KB5014754—Certificate-based authentication changes on Windows domain controllers - Microsoft Support

Any suggestions?

Thank you

Brian

Windows Server | Identity and access | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-17T03:46:13+00:00

    Hello Brian23_23,

    Thank you for posting in Microsoft Community forum.

    1.Is your CA server a Windows Enterprise CA?

    2.Do you issue certificate using certificate template?

    You can try to check:

    1. Verify that the KB5014754 update has been installed correctly on your server. You can do this by checking the update history in the Windows Update settings.
    2. Check the Certificate Templates on your server to ensure that the OID has been added to the template. You can do this by opening the Certificate Templates console and checking the properties of the template.
    3. Verify that the OID is being added to existing certificates. You can do this by checking the properties of an existing certificate that was issued after the KB5014754 update was installed.
    4. If the OID is still not being added to new certificates, try restarting the Active Directory Certificate Services (ADCS) service on your server.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-10-17T12:46:12+00:00

    Daisy,

    Yes, it is a windows Enterprise CA. We use a template to issue certificates.

    The server has September 2023 windows update. I think that also includes KB5014754, I do not need to install it manually, right?

    When I click on "View Object identifiers", I do not see the OID on the certificate template.

    I have restarted the server couple times, still the same.

    Thanks

    Brian

    0 comments
  3. Anonymous
    2023-10-18T08:54:56+00:00

    Hello Brian23_23,

    Thank you for your reply.

    Where is "View Object identifiers" on certificate template?

    You can check OID as below.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2023-10-19T02:26:05+00:00

    This is what it shows under certificate template Information "Object identifier: 1.3.6.1.4.1.311.21.8.12138963.12639489.12076195.9971796.13789331.162.5187648.12301347

    Subject type: Computer"

    I do not see "1.3.6.1.4.1.311.25.2" which was mentioned on KB5014754.

    Thanks

    Brian

    0 comments
  5. Anonymous
    2023-10-19T02:56:36+00:00

    Hello Brian23_23,

    Thank you for your reply.

    All latest patches must be installed on DC role computers and infrastructure servers that pass the machine cert from the client to the DC for authentication (think NPS Servers, Web Servers, PKI Servers), and then issue new certificate, the OID will be included on new certificates.

    Image

    Best Regards,
    Daisy Zhou

    0 comments