Forum Discussion
Intune Certificate Connector and OID 1.3.6.1.4.1.311.25.2
Hi, Way back in May when update KB5014754 broke cert auth for so many orgs it was identified that whilst RPC auto-enrolled certificates will get the new required OID the Intune certificate connector...
Just updated Intune PKCS certificate configuration to add SAN attribute UPN with value {{UserPrincipalName}} and bang: authentication works. It seems that KB5014754 add the requirement to have SAN attribute that contain the UPN in the certficate, but I didn't find any reference for this. This will work until the full enforcement will be in place February 11, 2025. Still waiting for a solution to provide strong certificates to users via Intune.
But one can not (obviously) add CN={{UserPrincipalName}} to DEVICE certificate (and that is what I use for WiFi Radius authentication)
- For DEVICE/Machine based RADIUS, I believe that FQDN is what is required in the SAN and I also use FQDN for the CN. I have never gotten AD based auth to work with the device certificate, so I rely on CRL for authorization.
You believe wrong. Nothing special is needed for machine auth in CN OR SAN
what matters is group membership for Radius policy AND SPN AD attribute
No idea what you mean: “…have never gotten AD based auth to work with the device certificate”
That just works, there is nothing to it if you have correct policy in place for WiFi
Seb
- That's correct, but you can easily switch the Radius authentication to USER certificate
I can do whatever, but that does not change anything, this OID still does not get to MSAD CA issued certificates
And user certificate is madness, as at not-logged in state the machine is actually NOT connected!
