KB5014754 and EAP-TLS Machine Authentication

Copper Contributor



I'm needing some guidance on the altSecurityIdentifier when it comes to mapping certificates for machine authentication.  The new 'stronger' methods do not work.  The only one I can get to work is the 'weak' X509IssuerSubject mapping, which has always been for my devices that support EAP-TLS.  I'll go over what I have currently setup and what I've tried.  


Current setup:

I have an AD domain controller, ADCS, and NPS to authorize my clients.  An object in AD gets created (a machine object).  A certificate from ADCS get's issued and installed on the client.  I take the X509 and manually map it to that computer object and check the boxes for issuer and subjectName.  I then setup my authentication (which this is for a wireless network WPA2 Enterprise).  I'll setup the SSID name --> Choose WPA2 Enterprise --> Change Authentication from Automatic to EAP-TLS --> Select the certificate --> enter a username (which is the machine name with a $ (i.e. MYSYSTEM$)).  The system then hits NPS and authenticates the device and is now on the network.


With the new security enhancements:

NPS logs a failure in the logs stating that there is a credential mismatch.  In order to be compliant with the new security mappings, I have altered and followed KB5014754 and HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attrib...

I put this in the correct formats (and I've tried each of the strong formats).  They do not work.  They will not authenticate the client.  NPS reports its the same credential mismatch.  


So my question is, with the current setup and utilizing EAP-TLS with my clients (which by the way some are domain joined MACs and some are not domain joined MACs), is there any way to get this to work with the machine authentication method I'm using? 


I do get I could do the mapping to a user object instead of a computer object.  I just hate to have that many user accounts active for devices.  



2 Replies

Hi @jberg7120,

there is no way to use the altSecurityIdentifier attribute to create a strong mapping between a certificate and a computer object for machine authentication with EAP-TLS, without creating a user account for the device.

The altSecurityIdentifier attribute is only used for mapping user accounts to certificates. For machine authentication with EAP-TLS, you need to create a strong mapping between the certificate and the computer object in the userCertificateMappings attribute.

The userCertificateMappings attribute can only be populated with user accounts, not computer accounts. This is a security feature that prevents attackers from using stolen certificates to authenticate as computer accounts.

So, the only way to use the new machine authentication method in Windows Server 2022 and later with EAP-TLS is to create a user account for each device.

I understand that this is not ideal, but it is the only way to ensure that your network is secure.

Useful links that you can use:

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic

Thanks Leon for the reply.

When I look at the attributes for both user objects and computer objects, I do see the attribute 'userCertificate' for both types. For some I see the attribute populated. If this were populated correctly, would that allow for device authentication with a strong mapping for devices if placed on a computer object?