Certificate-Based Authentication Changes and Always On VPN

Microsoft introduced important changes affecting certificate-based authentication on Windows domain controllers as part of the May 10, 2022 update KB5014754 that may affect Always On VPN deployments. The update addresses privilege escalation vulnerabilities when a domain controller is processing a certificate-based authentication request. The recommendation from Microsoft is that the update be applied to all Windows domain controllers and Active Directory Certificate Services (AD CS) servers as soon as possible.

Updated 5/20/2022: An out-of-band update to address authentication issues reported with this update is now available. Updates are available for Windows Server 2022, Windows Server 20H2, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

Certificate Services

After applying the update to certification authority (CA) servers, a non-critical extension with Object Identifier (OID) 1.3.6.1.4.1.311.25.2 is added to all issued certificates with the user or device security identifier (SID) included. Domain controllers with the update installed will use this information to validate the certificate used for authentication and ensure that it matches the information in Active Directory.

Domain Controllers

The update operates in Compatibility Mode, by default, when applied to domain controllers. Windows monitors authentication requests and records audit events for certificates presented for authentication under the following conditions.

No strong mapping (event ID 39) – The certificate has not been mapped explicitly to a domain account, and the certificate did not include the new SID extension.

Certificate predates account (event ID 40) – A certificate was issued before the user existed in Active Directory, and no explicit mapping could be found.

User’s SID does not match certificate (event ID 41) – A certificate contains the new SID extension, but it does not match the SID of the corresponding user account.

Certificate Mapping

Administrators can map certificates explicitly to accounts in Active Directory, but this results in a significant administrative burden in most environments. A better option is to reissue user and device authentication certificates after applying the KB5014754 update to all issuing CA servers.

Reenroll Certificates

Administrators should reissue user and device authentication certificates after applying the KB5014754 update. Open the Certificate Templates management console (certtmpl.msc), identify the user or device authentication certificate template, then right-click on the template and choose Reenroll All Certificate Holders.

Enforcement Mode

After applying update KB5014754, administrators should monitor domain controller event logs for event IDs 39, 40, and 41. Once all certificates have been updated, and none of these events have been recorded for 30 days, administrators can switch to Full Enforcement Mode by enabling it in the registry on all domain controllers.

Key: HKLM\SYSTEM\CurrentControlSet\Services\KDC
Value: StrongCertificateBindingEnforcement
Type: DWORD
Data: 2

Note: Microsoft will automatically switch to Full Enforcement Mode beginning May 9, 2023.

Known Issues

There have been some reports of authentication issues after installing the KB5014754 update. Early indications are that device authentication certificates missing a Subject Alternative Name (SAN) entry are to blame. Administrators are encouraged to update their device certificates to include the SAN entry. Optionally, but not recommended, administrators can place the update in disabled mode by editing the registry.

Note: An out-of-band update for these authentication issues is now available. See the reference links at the top of this article for more information.

Additional Information

KB5014754 – Certificate-based authentication changes on Windows domain controllers

Microsoft Windows Always On VPN Users Prompted for Certificate

Microsoft Windows Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Leave a comment

11 Comments

  1. Chris

     /  May 16, 2022

    What would be the right order to apply this without having VPN outages?
    Patch CA -> Patch ALL DC’s -> Reenroll?
    We have multiple domain controllers in place. We already see some authentication errors because one DC has already updated.
    Any advice?

    Reply
  2. sebus

     /  May 25, 2022

    Sadly new issued certificate(s) after all infrastructure update, do NOT get Object Identifier (OID) 1.3.6.1.4.1.311.25.2 in the certificate from template
    Any ideas?

    Reply
    • Did you apply the May 2022 update to your issuing CA servers? If so, certificates issued after the update is applied will include the new OID by default.

      Reply
  3. In my testing we found we had to change the SAN name we were using from the DNS name of the computer to the UNC for the computer account.

    Reply
  4. sebus

     /  May 25, 2022

    This new Object Identifier (OID) (1.3.6.1.4.1.311.25.2) is added to any newly issued Certificates ONLY if they are issued via AutoEnrollment !

    If certificate is requested by user, it does NOT have this object

    Reply
    • That is not expected behavior. Are you issuing these certificates on-premises directly? Or with Intune using PKCS or SCEP?

      Reply
      • Nate

         /  June 10, 2022

        For me, certs issued through GPO auto-enrollment have the new OID. Certs issued through the Intune PKCS connector do not have the OID. This is after ensuring the Intune cert connectors were up to date and after installing the out-of-band MS update.

      • I’m seeing that as well, as most others are too. Still awaiting something from Microsoft on this. I suspect an update to the Intune certificate connector may be required. Hopefully, they are adding this capability as we speak.

      • Alex Ledger

         /  June 20, 2022

        Newly enrolled certs issues by AD Autoenrollment get the new OID. SCEP certs issues via Intune do not. Is there anything i can do to add OID for certs issues via Intune ?

      • That is expected. It appears to be a limitation Microsoft hasn’t yet addressed. I’m investigating as we speak. Stay tuned!

Leave a Reply

%d bloggers like this: