LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Scope
  • Enabling Strong Certificate Mapping

Was this helpful?

  1. SCEPman Configuration

Intune Strong Mapping

Implementing strong mapping for SCEP and PKCS certificates in Intune using SCEPman.

Last updated 4 months ago

Was this helpful?

: With the May 10, 2022 Windows update () changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. .

Scope

First off, this vulnerability applies only to CAs whose certificates are published in the AD Forest's NTAuth store. If you do not use your certificates to authenticate against your on-prem AD, you do not need to publish your CA certificate in the NTAuth store and then you are invulnerable against this attack. Note that Microsoft ADCS publishes its CA certificates in the NTAuth store by default.

For network authentication, the only NAC we know requiring the CA certificate in the NTAuth store is Microsoft NPS. Among the NACs that do not require on-prem authentication and the NTAuth store are RADIUSaaS, Cisco ISE, and Aruba Clearpass. If you are using certificates only for this use case, just make sure your CA certificate is not in your Forest's NTAuth store and you don't have to worry about strong certificate mapping.

If you do have a use case that requires your CA certificate in the NTAuth store, like our , you might still not want your end-user certificates to be used for on-prem authentication. In this case, you again do not need a strong certificate mapping for these certificates. Thus, you should enable Full Enforcement Mode, but not add the on-prem SIDs to the certificates.

Only if you are using your end certificates for on-prem authentication, you should make sure SIDs are added. The most common examples for this use case is if you are using Microsoft NPS or if you use certificate-based authentication to log on to on-prem VMs using RDP in ordert to avoid passwords.

Enabling Strong Certificate Mapping

To address the ADCS/KDC changes, Microsoft Intune can include the SID in enrolled certificates. You can include the SID by adding a SAN of type URI with the value "{{OnPremisesSecurityIdentifier}}" and it will appear in the certificate like this:

URL=tag:microsoft.com,2022-09-14:sid:<value>

This change rolls out this new feature in October/November 2024 for all Microsoft Intune customers.

SCEPman is ready for this change. No changes to SCEPman are required, only to the Intune configuration.

If you want to use this feature, you must update your SCEP Configuration Profiles in Intune according to Microsoft instructions. We have tested that SCEPman supports this SAN format and it works with all SCEPman versions.

Alternatively, you can add a with SCEPman. This is how we addressed the KDC issue in in the same way that the on-premises ADCS does it. Therefore, SCEPman customers do not require the new SAN field, especially if they are already using the SID extension.

SCEPman customers can choose whether they want the SID extension or the SID SAN value. The former requires a SCEPman configuration setting, the latter requires a change to the SCEP configuration profiles, as detailed above.

Currently Microsoft informs customers to double-check their PKIs
KB5014754
We described the impact of this change when the vulnerability was originally disclosed
Domain Controller Certificates
SID extension
July 2023