Active Directory Strong Certificate Mapping Configuration

  • EF
 Prev Next

Microsoft introduced significant changes to Active Directory Certificate Services (ADCS) certificate authentication with KB5014754. These changes enforce strong certificate mapping to address elevation of privilege vulnerabilities related to certificate spoofing. This applies to customers using Microsoft Active Directory ADCS for certificate-based authentication (such as Wi-Fi or Ethernet with 802.1X) that leverages user attributes in certificates.

Important: As of February 11, 2025, Windows enforces these changes by default. If certificates cannot be strongly mapped to Active Directory accounts, authentication will be denied.

Enforcement Dates and Requirements

  • February 11, 2025 - Strong certificate mapping enforcement began by default

  • September 10, 2025 - Compatibility mode will no longer be supported

  • Action Required - All certificates used for Active Directory authentication must include the user's security identifier (SID) in the Subject Alternative Name (SAN) field

Who Needs to Take Action?

This applies to customers using Microsoft ADCS for certificate-based authentication (such as Wi-Fi or Ethernet with 802.1X) that leverages user attributes in certificates.

Prerequisites

  1. Assign users to device records in Kandji before proceeding with certificate updates.

  2. Update your AD CS Server to Microsoft .NET (Core) 8 or later (if you’re leveraging Kandji’s AD CS connector for certificates issued from AD CS).

Required Steps

Update Kandji ADCS Connector

This update is only required if you use Kandji’s AD CS connector to issue certificates

  1. In your Kandji tenant, navigate to Integrations > ADCS.

  2. Under Connectors, locate your connector(s).

  3. Click the (...) menu > Redownload Connector.

  4. Download and install version 1.0.0.6 of the Kandji ADCS Connector.
    (System Requirements: Microsoft .NET (Core) 8 or later is required for the updated connector.)

Update SCIM User Directory Integration

These steps pertain to Microsoft Entra SCIM integrations. Native Microsoft Entra ID integrations require no additional configuration.

  1. Navigate to the Microsoft Entra admin center > Applications > Enterprise Applications.

  2. Locate and open the SCIM app used with Kandji.

  3. Under Manage, select Provisioning.

  4. Under Manage, select Attribute Mapping (Preview).

  5. Select Provision Microsoft Entra ID Users.

  6. Scroll to the bottom, check the box to show advanced options.

  7. Click Edit attribute list for <customappsso>.

  8. Add a new field: onPremisesSecurityIdentifier (leave type as String).

  9. Click Save.

  10. Return to Attribute Mapping, scroll down and click Add New Mapping.

  11. Configure the mapping:

    • Mapping type: Direct (default)

    • Source attribute: onPremisesSecurityIdentifier

    • Target attribute: onPremisesSecurityIdentifier

  12. Click OK, then Save.

The onPremisesSecurityIdentifier will appear in user attributes after the next Entra ID SCIM sync (every 20-40 minutes).

Update Certificate Library Items

For SCEP Certificate Library Items

  1. Locate existing SCEP Library Items used in your Blueprints.

  2. Click Edit on the item.

  3. In the Subject Alternative Name (SAN) section, click Add.

  4. Add a Uniform Resource Identifier SAN.

  5. Enter this value exactly: $ADCS_STRONG_MAPPING_ID.

  6. Click Save.

For Certificate Library Items using ADCS Connector

  1. Locate and open assigned Certificate Library Items used in your Blueprints

  2. Click Edit

  3. In the Subject Alternative Name (SAN) section, click Add

  4. Add a Uniform Resource Identifier SAN

  5. Enter this value exactly: $ADCS_STRONG_MAPPING_ID

  6. Click Save

For WiFi or Ethernet Library Items using SCEP or ADCS certificates for EAP-TLS

  1. Locate and open assigned Wi-Fi or Ethernet Library Items used in your Blueprints.

  2. Click Edit.

  3. Scroll to the Identity Certificate section and click Configure.

  4. In the Subject Alternative Name (SAN) section, click Add.

  5. Add a Uniform Resource Identifier SAN.

  6. Enter this value exactly: $ADCS_STRONG_MAPPING_ID .

  7. Click Save.

Deployment and Certificate Reissuance

After updating Library Items:

  • Kandji automatically reissues certificates to devices assigned the updated Library Items through their Blueprints

  • New certificates will contain the user's SID in the SAN field, satisfying Microsoft's strong certificate mapping requirements

  • Any reconfigured WiFi or Ethernet connections will automatically use the new certificates

Considerations

Incorrectly updating certificates used for network connectivity can cause devices to disconnect from the network.

Test these changes on a subset of devices using a test Blueprint with test Library Items before applying changes to production Library Items.