03/18/24 Update: Based on customer feedback, we paused the rollout for this update. More information can be found below. Stay tuned to this blog for future updates on the release timeframe.
With the May 10, 2022 Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behaviour in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. We’ve received feedback from customers wanting to understand how this impacts certificates delivered by Intune. This month we’ve begun to rollout a solution to seamlessly deliver SCEP and PKCS certificates in Intune with strong mapping. Last month, we initiated the rollout of strong mapping for SCEP certificates in Intune. However, based on customer feedback, we paused the rollout. Instead, we're working on an opt-in/opt-out model to give more control to customers to choose if they would like to have the SID in the certificate for strong mapping, particularly in scenarios where they authenticate against KDC for certificate-based authentication. This is expected to release by September 2024.
Enablement of certificate strong mapping in Active Directory
To address security concerns related to certificate spoofing, Windows introduced changes to the KDC that requires certificates for a user or computer object to be strongly mapped to Active Directory. These changes ensure a more robust validation process during certificate-based authentication.
Various mapping options are allowed, including manual mapping and automatic mapping using the object identifier (OID) extension with the device or user security identifier (SID) for online certificate templates from Active Directory Certificate Services (AD CS).
In case of manual and offline certificates, which is what Intune uses to deliver certificates to devices, a new mapping has been introduced which is a Subject Alternative Name (SAN) tag-based URI with the following format.
URL=tag:microsoft.com,2022-09-14:sid:<value>
When a user or device presents a certificate for authentication in Active Directory, the KDC will check if the required mappings are present to verify if the certificate is strongly mapped and issued to the specific user or device.
Intune implementation for ADCS/KDC strong mapping
To address the ADCS/KDC changes, we’re including SID in certificates. The following prerequisites must be met for strong mapping to work. If these prerequisites are not met, the certificate will not have SID information when the certificate is being created or renewed, which will cause authentication failure for certificate-based authentication if strong mapping enforcement is enabled on the KDC.
- User and device SID must be synchronized with Microsoft Entra ID. For more information, read How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain.
- For device certificates, only Windows hybrid joined devices will have SID information. Use user certificates for all other device types such as iOS or Android.
Strong mapping is currently supported for:
- Windows 10
- Windows 11
- iOS
- macOS
- Android
Implementation for SCEP Certificates:
When Intune delivers SCEP certificates to devices, it makes sure that they are deployed smoothly across all platforms without any need for admin involvement.
The logic for evaluating how certificates are mapped has been updated to check a URI based on a Subject Alternative Name (SAN) tag that works with SCEP. The SAN has the object's SID as part of it with the format "tag:microsoft.com,2022-09-14:sid:<OnPremisesObjectSIDValue>". This URI is part of the SCEP payload and sent through the mobile device management (MDM) channel.
Important: In the event of a third-party certification authority (CA), ensure your CA does not block certificates, now that it includes SID information in the format described above.
While we’re working closing with partners to ensure readiness for all third-party certification authorities (CA) and network access control (NAC) solutions, with the release, we recommend thorough testing of any applications, Intune-integrated CAs, NAC solutions and networking infrastructure where clients may utilize certificates for authentication to ensure optimal functionality. This change is currently being rolled out to all customers; we’ll update this post once it’s available for everyone.
Implementing PKCS Certificates:
The implementation of PKCS certificates is currently in development. We are making steady progress and will be adding more details here as soon as they become available.
If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.
Post updates:
03/18/24: Based on customer feedback, we paused the rollout for this update. More information can be found above.