KB5014754 and EAP-TLS Machine Authentication

Hi jberg7120,

there is no way to use the altSecurityIdentifier attribute to create a strong mapping between a certificate and a computer object for machine authentication with EAP-TLS, without creating a user account for the device.

The altSecurityIdentifier attribute is only used for mapping user accounts to certificates. For machine authentication with EAP-TLS, you need to create a strong mapping between the certificate and the computer object in the userCertificateMappings attribute.

The userCertificateMappings attribute can only be populated with user accounts, not computer accounts. This is a security feature that prevents attackers from using stolen certificates to authenticate as computer accounts.

So, the only way to use the new machine authentication method in Windows Server 2022 and later with EAP-TLS is to create a user account for each device.

I understand that this is not ideal, but it is the only way to ensure that your network is secure.

Useful links that you can use:

• How to map a user to a certificate via all the methods available in the altSecurityIdentities attrib...: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
• Windows Authentication Overview: https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-overview