Where can i catch up on this webinar as i missed the original time and date?
Webinar: Deadlines, Impact & Action: Certificate Based Authentication Changes (KB5014754)
Enjoy an hour of Pre-Recorded Live Q&A at our PKI Solutions “Office Hours.” – Deadlines Impact & Action: Certificate Based Authentication Changes (KB5014754)
Got a PKI Problem?
We can help! Learn more about custom PKI consulting and assessments.
Discover Consulting for Every PKI NeedTo address the threats from CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923, Microsoft will enforce strong mappings between an authentication certificate and the account object with a new Object Identifier Extension (OID) 1.3.6.1.4.1.311.25.2. Microsoft is phasing in changes to how certificates are mapped to Windows accounts.
These changes will cause authentication failures with certificates issued using client authentication and not using Active Directory to supply subject information. ADCS CAs, non-ADCS CAs, Managed PKIs, Public CAs, and Standalone CAs will be impacted. These offline certificate requests are how all MDM issue certificates, including NDES and Intune. Smart Cards are often offline requests which will impact federal and civilian orgs using CAC and LACS cards.
If you are facing challenges with your PKI and have issues with the enforcement of these changes we are here to help.
– Shawn Rabourn, CTO, PKI Solutions
– Mark B. Cooper, president and founder, PKI Solutions, aka The PKI Guy
Feel free to send your questions in advance to thepkiguy@pkisolutions.com.
The Webinar followed this agenda:
- What this KB is all about -> what are the changes?
- issues and vulnerabilities the changes intend to solve
- Controls and mechanisms MS has provided to manage this
- Things that Microsoft did not consider but you need to
Questions & Answers
Q: How can I verify if the new OID has been added?
A: You can interrogate the certificate template for the addition of the 0x80000 msPKI-enrollment-flag using certutil –v –dstemplate {templateName} where {templateName} is the certificate template name. The presence of the –v in the command will help with the expansion of the attribute.
Q: Is the “disabled mode” removed using windows update or is it already counting down?
A: The binaries will be updated in the security update. The presumption on deadline assumes update installation on the release day.
Q: My Company recently did Security Assessment. One of the PKI vulnerabilities was for: Active Directory Certificate Service Privilege Escalation – ESC9. We have 9 templates flagged. All of these templates allow for manually supplying Subject Name in the request. This is necessary for custom Web Certificates which don’t get directly mapped to a user or computer account. I noticed these templates DO NOT get the new OID extension for strong mapping. Will these types of custom certificates be impacted when enforcement is enabled in November 2023?
A: Server authentication certificates are outside of the use case for strong mapping. Also if you want to know how PKI Spotlight checks for exploitable mis-configurations check this video out:
Q: Am I correct a query of all DCs for the 3 event IDs 39, 40 & 41 source Kdcsvc per the URL below give us concrete evidence if certificates are even being presented to our DCs? In short, a way to determine if the certificates are even being used at this time in this fashion as we also query the CA issued certs for the attributes in user type issued certificates. https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
A: On Windows 2012 and later DCs with the update, the events will show up if the criterium for the events is met. Querying on those three events would give a pretty good idea of who would have issues if they continued to access resources in the same fashion.
I could imagine use cases where users have existing certificates (e.g. on smart cards) before their AD account is created (which might be used for logon via explicit mapping)
Q: It seems Exchange is (was?) constraining the explicit mapping that you could use. Is this still the case? are the strong mappings all supported by Exchange?
Would you see those errors on the CA or only KDC?
A: Kdcsvc runs only on Domain Controllers. Hopefully your Domain Controllers are not on the same servers as your Certificate Authorities.
Q: How do you turn off inclusion of the 1.3.6.1.4.1.311.25.2 in issued certificates? What was the flag? Is it on the template or the CA?
A: You can run the command certutil -dstemplate {templateName} msPKI-Enrollment-Flag -0x00080000 where {templateName} is the name of the template you want to suppress the OID.
Q: Is this OID unique? Are there other OIDs that should be added to other types of certificates? Is there a document that can be referenced?
A: Yes, they are unique. OIDs are registered with IANA (https://www.iana.org/)
Q: What is the best way to identify / validate that you have the patch installed given it could be applied in one of the security or cumulative updates in the future after May?
A: The best way to determine patch level is the version number on the DLL or EXE patched. For Windows Server 2022, the version number for many of the binaries released in that release is 10.0.20348.677
Q: Can you repeat what breaks in April?
A: Disabled Mode for Strong binding enforcement
Mark B. Cooper
President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.
View All Posts by Mark B. CooperComments
-
-
We posted the final video on this page. 🙂
-
-
I think there is to much panic about April 11. It affects you only if you have certificates which were issued before creating user accounts and if you have logs with ID 40 (Certificate predates account) which confirms it. Its very uncommon situation. So, according to Microsoft statements, and if you only have logs ID 39 (No strong mapping), on April 11 nothing changes to you and only November 14 is important date, because till then compatibility mode will be still active. Please correct me if I misunderstood anything.
-
Bringing a certificate to a net new account is, in-theory, a rare occurrence. However, it is entirely possible so it needs to be addressed in order to facilitate anyone using the fringe case.
-
-
Speaking of fringe cases, what about DC’s where you use Offline Cert for Alternative SAN? The OID will not be added here. Seems to be a bit of an oversight on MS’s part?