Blog Post

Public Sector Blog
6 MIN READ

Enable strong name-based mapping in government scenarios

ToastToast's avatar
ToastToast
Icon for Microsoft rankMicrosoft
Sep 10, 2024

If you work in smartcard federated authentication environments, here’s a much-anticipated security feature for you. Starting with the September 10, 2024 Windows security update, you can use strong name-based mapping on Windows Server 2019 and newer. This feature helps you with the hardening changes for certificate-based authentication on Windows domain controllers. 

 

What are weak and strong mappings in Active Directory? 

All certificate names must be correctly mapped onto the intended user account in Active Directory (AD). If there’s a likelihood that they aren’t, we call these mappings weak. Weak mappings give rise to security vulnerabilities and demand hardening measures such as Certificate-based authentication changes on Windows domain controllers.  

 

Following up on our May 2022 round of updates to address these vulnerabilities, we’re introducing a new feature called strong name-based mapping. You can now distinguish between “strong” and “weak” mappings within existing Alternative Security Identities (AltSecIDs) based on likelihood. With the new feature, you can allow some weak name-based mappings to be treated as strong name-based mappings. You just need to properly configure both the public key infrastructure (PKI) and the AD deployment. 

 

Key features and benefits of strong name-based mapping 

Strong name-based mapping has two main benefits: 

  • Compliance with strong certificate mapping enforcement. Strong name-based mapping allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings. This type of strong mapping is compatible with the enforcement mode of certificate-based authentication changes on Windows domain controllers 
  • Compatibility with government PKI deployments. Strong name-based mappings work by asking PKI deployments to attest certain security guarantees of certificates via object identifiers (OIDs) stamped on the certificate. It’s a common practice among government PKI and AD deployments.  

Security requirements for PKI deployments for strong name-based mapping 

Warning  

Unless you have a strong need for this type of deployment AND have a deep knowledge of how PKI deployments and AD authentication interact together, we DO NOT recommend deploying strong name-based mapping. We instead recommend that you following the guidance in KB5014754: Certificate-based authentication changes on Windows domain controllers.  

 

 

Fundamentally, strong name-based mapping deployment is your promise to Microsoft that your PKI is not susceptible to the attacks addressed by May 2022 and later updates. Namely, you take responsibility for the vulnerabilities that can arise from any unintentional mapping of the names in a certificate to multiple AD accounts. 

 

To prevent unintentional and unsafe mappings, we recommend that you take steps to strengthen your PKI and AD deployments. Some of these steps include:  

  • Names used in either the Subject Name and/or the Subject Alternative Name of certificates MUST NOT contain names that are queried and/or built from AD. 
  • Names used in either the Subject Name and/or the Subject Alternative Name of certificates MUST be both immutable and globally unique to the entire PKI deployment.  
  • AD and PKI administrators must ensure that certificate issuance for logons is not automatic. Instead, ensure that strong manual checks are in place to prevent a certificate with an incorrect or clashing name from being issued.  

Failing to secure your PKI and AD deployments can degrade the security of your environment.  

 

If your PKI meets or exceeds these security requirements, you MUST add an OID in the Issuance Policy of the certificate to denote this compliance. This OID (or multiple OIDs) will be used further below in the strong name-based mapping configuration.  

 

Setup instructions 

To enable strong name-based mapping on Windows Server 2019 and later, you need to take the following steps: 

  1. Enable the Group Policy (GPO) Setting on the Domain Controllers: 
    Computer Configuration > Administrative Template > System > KDC > “Allow name-based strong mappings for certificates” 
  2. Configure the GPO with the necessary tuples (more details below). 

This configuration relies on adding tuples to the GPO when strong name-based mapping is enabled. These tuples tell the Domain Controller which certificates meet the above security requirements by specifying both the Issuer certificate authority (CA) thumbprint and the OID(s) that denote that the PKI deployment is secured against the May 2022 vulnerabilities. Furthermore, the tuples also configure which “weak” name-based mappings can be upgraded to “strong” name-based mappings.  

 

The tuple is in the following format: 
 
<Issuer CA Certificate Thumbprint>;<OID(s)>;<IssuerSubject/UpnSuffix=()> 

  1. Issuer CA Certificate Thumbprint: This is the certificate thumbprint of the Issuing CA. There can only be one Issuer CA Thumbprint in this field. If multiple Issuer CA Thumbprints are placed, it can prevent proper processing of the GPO policy. 
  2. OID(s): This is a comma-separated list of OIDs that the PKI deployment has stamped on the certificate to attest that the security requirements against name collisions have been met. There can be multiple OIDs denoted in this field.  
  3. IssuerSubject/UpnSuffix: This is a comma-separated list to denote what type of weak mapping should be treated as strong: 
    1. IssuerSubject: This string behaves as a tag to denote that the Issuer/SubjectName AltSecID can be upgraded from “weak” to “strong.” There can only be one IssuerSubject tag in this field.  
    2. UPNSuffix: This string denotes that certificate mappings can be upgraded form “weak” to “strong” wherever the UPN suffix of the SubjectName (that is, everything that comes after the @ symbol) matches the suffix in the tuple exactly. There can be multiple UPN suffixes in this field.  

The logic of the tuple is the following. For certificates whose Issuer is X that has any of the OID(s) Y, upgrade any of the weak mappings C to “strong.” This logic is summarized in the diagram. 

 

Flow chart illustrating the logic of strong name-based mapping configuration. The chart starts with a decision diamond asking if the certificate's Issuer Certificate Thumbprint matches the specified thumbprint. If yes, it proceeds to check if the certificate has any of the specified OIDs. If both conditions are met, it allows a strong mapping for the certificate based on either Issuer/SubjectName AltSecID or UPNSuffix, depending on the configuration.

 

Two important configuration details are required for UPN Suffix mapping to work: 

  • Certificates must have the UPN of the user in the SAN. 
  • Mapping via UPNs has not been disabled via UseSubjectAltName. 

 

How to use and understand policy tuples: a walkthrough 

 

Policy tuple example 1 

Use this policy tuple to allow a strong mapping via Issuer/SubjectName AltSecID. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45;IssuerSubject 

 

  1. For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
  2. The certificate has the OID 2.16.840.1.101.3.2.1.3.45, 
  3. Allow a strong mapping if the certificate is mapped via Issuer/SubjectName AltSecID. 

This tuple would allow a certificate logon which passes checks (1) and (2) issued to the user Bob, if the AD object for Bob has the Issuer/SubjectName AltSecID correctly configured for the certificate.  

 

Policy tuple example 2 

Use this policy tuple to allow a strong mapping via a specified UPNSuffix. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45;UPNSuffix=corp.contoso.com 

 

  1. For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
  2. The certificate has the OID 2.16.840.1.101.3.2.1.3.45, 
  3. Allow a strong mapping if the certificate is mapped via UPNSuffix, which should be “corp.contoso.com.”  

This tuple would allow a certificate logon which passes checks (1) and (2) issued to the user Bob, if the AD object for Bob has the Issuer/SubjectName AltSecID correctly configured for the certificate.  

 

Policy tuple example 3 

Use this policy tuple to allow a strong mapping via any of the approved specifications. 

fe40a3146d935dc248504d2dcd960d15c4542e6e; 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.44;UPNSuffix=corp.contoso.com,UPNSuffix=my.corp.contoso.com,IssuerSubject 

 

  1. For certificates whose Issuer Certificate Thumbprint is fe40a3146d935dc248504d2dcd960d15c4542e6e, and 
  2. The certificate has ANY of the following OIDs: 
    1. 2.16.840.1.101.3.2.1.3.45 
    2. 2.16.840.1.101.3.2.1.3.44 
  3. Allow a strong name-based mapping if the certificate is mapped via either of the following: 
    1. The user account in AD has a valid Issuer/SubjectName AltSecID mapping 
    2. UPNSuffix, where the suffix is “corp.contoso.com” 
    3. UPNSuffix, where the suffix is “my.corp.contoso.com” 

Event Log changes 

Two Event Log updates are here to help you as an AD administrator better troubleshoot strong name-based mapping scenarios. These are available to you with the September 10, 2024 and later updates. 

 

Updates to current event logs 

The current event logs now include policy OIDs found on the certificate used for authentication. This modifies the Key Distribution Center (KDC) events introduced by the May 10, 2022 and later updates.  

 

New event logs 

Additionally, a new event is available to log when the strong name-based mapping GPO encounters an issue processing the policy tuples. Track these events through Event ID 311. 

 

Event Log 

Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational 

Event Type 

Error 

Event Source 

Kerberos-Key-Distribution-Center 

Event ID 

311 

Event Text 

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy. 

 

Faulting line: <line number> 

 

 

Ready to improve Windows Server security? 

We’re excited to bring this feature to your government scenario. Consider strong name-based mappings on Active Directory and PKI deployments in Windows Server 2019 or later if you meet the security requirements and recommendations. If you have any questions or need assistance, our support team is here to help. 

 

 

Continue the conversation. Find best practices. Bookmark the Public Sector Tech Community, then follow us on the Public Sector Blog for updates. 

Updated Sep 10, 2024
Version 1.0

12 Comments

  • BSchwartz's avatar
    BSchwartz
    Copper Contributor

    Is there any reason why we would be getting the error about the certificate not having the issuance policy OID that is listed in the tuple and also exists on the certificate used for authentication.

  • RDalton's avatar
    RDalton
    Copper Contributor

    Can you confirm this will not work with 2016 DCs in my environment? We're in the process of deploying 2022's but definitely won't have the 16s gone by September. 

  • ACHHH254's avatar
    ACHHH254
    Copper Contributor

    I am still a bit confused on this. So I have to map to the AltSecID in AD, AND setup a mapping for each user's certificate in this policy? 

  • JustinFelix's avatar
    JustinFelix
    Copper Contributor

    Microsoft needs to allow for more than one CA thumbprint in the tuple as many government organizations also use derived PIV (PIV-D) and the PIV-D issuing CA is separate from the normal PIV issuing CA.

    • ToastToast's avatar
      ToastToast
      Icon for Microsoft rankMicrosoft

      Thank you for the feedback. We use the CA Thumbprint as the key for the tuple lookup, so it must be both unique for all tuples and be the sole CA in the tuple. 

      You can configure multiple tuples, each with their own CA thumbprint. One option is to have one tuple for the PIV issuing CA, and another tuple for the PIV-D issuing CA. 

  • jdbst56's avatar
    jdbst56
    Brass Contributor

    I'm curious to Microsoft's decision to not honor the new SID extension when Certificate Mapping is used over UPN mapping where the UseSubjectAltName registry value is 0.  We have our internal Microsoft CA integrated with the Citrix Federated Authentication service.  With the way FAS works, it would be difficult to establish a strong (using SKI or Serial Number) mapping in the AltSecurityIdentities user attribute for these certificates as they are issued on demand to FAS by the CA and have a short (7-day default) validity period.  We were operating under the now incorrect assumption that since the certificates are issued from the internal CA, the new SID extension present in the certificate would now qualify the existing IssuerSubject mapping in AltSecurityIdentities as being strong.  Are you working with Citrix to address this issue?  If not, would using the policy 1 example tuple above allow our FAS service to continue working until there is a long term solution?  There is another post on the Citrix support forums from a user facing a similar scenario which will be common in government environments utilizing Citrix FAS: https://community.citrix.com/forums/topic/253495-virtualsmartcard-authentication-using-the-certificate-san/#_=_ 

  • Herbig's avatar
    Herbig
    Copper Contributor

    Good morning, I would like to be clearer about kb5014754, what type of certificates should I focus on, how should I review and remediate the certificate in case a change has to be made or a new certificate issued?
    For example, we have certificates issued for Web Server and it has a server authentication policy, there are other certificates that have client and server authentication policies, but how do I know if these changes affect my organization? Thank you.

    • geakin's avatar
      geakin
      Icon for Microsoft rankMicrosoft

      This applies to Smart Card certificate user login- I would not expect any machine authN to be flagged for unverified login attempts.

  • BTW97's avatar
    BTW97
    Copper Contributor

    Are the policies case sensitive, white space sensitive, or are there any other "gotchas" to look out for? I cannot seem to get a UPNSuffix policy to work with DoD issued PIVs. I do not get error 311 so I assume the policy is parsed properly, but logins still result in warning 39 on the DC. I'm wondering if the UPNSuffix policy dislikes the fact that the UPN on DoD PIVs is only single level, e.g. <userid>@mil (versus a more usual two-level UPN like contoso.com)

  • midnightjoe's avatar
    midnightjoe
    Copper Contributor

    Is there a ADMX file to support domain based GPO deployment?  With hundreds of Domain Controllers, I'd rather not manually edit local DC policies. 

    Working with the local policy, I see it's updating at least 2 registry keys, UseStrongNameMatches and StrongNameMatchesList.  I can easily use GPP to deploy if these are all the registry keys, but an updated ADMX file would be handy.

    Edited:

    While it's not included in any of the downloadable ADMX zip files, the updated KDC.ADMX/ADML are located on the DCs in C:\Windows\PolicyDefinitions\kdc.admx and the corresponding ADML file.  Copying those to the Central Store allowed Group Policies to deploy this setting. 

  • The best way to know would be if the certificates that you're using are showing up in Event ID 39 on your Domain Controllers. If they are, then some type of strong mapping is required before enforcement mode. For more information on the events, and our recommended guidance, please go to https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16.

    If you do not see Event ID 39 on your Domain Controllers, or you do but these certificates are not showing up, then this feature is not applicable to your situation. 

    For more information, please follow-up with your Microsoft Support contact. 

  • np1982's avatar
    np1982
    Copper Contributor

    we use IIS client certificate mapping for some of our websites. We generate a certificate using a generic AD user account and have this installed in the user certificate store of all our laptops. Does this hardening mean we need to change anything in the way we generate this certificate?