This guide applies to Mac computers
About Active Directory Strong Certificate Mapping Configuration
Active Directory Strong Certificate Mapping Configuration involves implementing Microsoft’s security changes to ADCS certificate authentication that enforce strong certificate mapping to address elevation of privilege vulnerabilities related to certificate spoofing.How It Works
Microsoft introduced significant changes to Active Directory Certificate Services (ADCS) certificate authentication with KB5014754. These changes enforce strong certificate mapping to address elevation of privilege vulnerabilities related to certificate spoofing. This applies to customers using Microsoft Active Directory ADCS for certificate-based authentication (such as Wi-Fi or Ethernet with 802.1X) that leverages user attributes in certificates.Important: As of February 11, 2025, Windows enforces these changes by default. If certificates cannot be strongly mapped to Active Directory accounts, authentication will be denied.
Enforcement Dates and Requirements
- February 11, 2025 - Strong certificate mapping enforcement began by default
- September 10, 2025 - Compatibility mode will no longer be supported
- Action Required - All certificates used for Active Directory authentication must include the user’s security identifier (SID) in the Subject Alternative Name (SAN) field
Who Needs to Take Action?
This applies to customers using Microsoft ADCS for certificate-based authentication (such as Wi-Fi or Ethernet with 802.1X) that leverages user attributes in certificates.Prerequisites
1
Assign users to device records
Assign users to device records in Iru Endpoint before proceeding with certificate updates.
2
Update AD CS Server
Update your AD CS Server to Microsoft .NET (Core) 8 or later (if you’re leveraging Iru Endpoint’s AD CS connector for certificates issued from AD CS).
Required Steps
Updating Iru Endpoint ADCS Connector
This update is only required if you use Iru Endpoint’s AD CS connector to issue certificates
1
Navigate to ADCS Integration
In your Iru Endpoint tenant, navigate to Integrations > ADCS.
2
Locate Connectors
Under Connectors, locate your connector(s).
3
Redownload Connector
Click the (…) menu > Redownload Connector.
4
Install Updated Connector
Download and install version 1.0.0.6 of the Iru Endpoint ADCS Connector.
Updating SCIM User Directory Integration
These steps pertain to Microsoft Entra SCIM integrations. Native Microsoft Entra ID integrations require no additional configuration.
1
Access Microsoft Entra Admin Center
Navigate to the Microsoft Entra admin center > Applications > Enterprise Applications.
2
Locate SCIM Application
Locate and open the SCIM app used with Iru Endpoint.
3
Access Provisioning Settings
Under Manage, select Provisioning.
4
Access Attribute Mapping
Under Manage, select Attribute Mapping (Preview).
5
Select User Provisioning
Select Provision Microsoft Entra ID Users.
6
Show Advanced Options
Scroll to the bottom, check the box to show advanced options.
7
Edit Attribute List
Click Edit attribute list for <customappsso>.
8
Add Security Identifier Field
Add a new field:
onPremisesSecurityIdentifier (leave type as String) and click Save.9
Add New Mapping
Return to Attribute Mapping, scroll down and click Add New Mapping.
10
Configure Mapping
Configure the mapping:
- Mapping type: Direct (default)
- Source attribute:
onPremisesSecurityIdentifier - Target attribute:
onPremisesSecurityIdentifier
11
Save Mapping
Click OK, then Save.
The
onPremisesSecurityIdentifier will appear in user attributes after the next Entra ID SCIM sync (every 20-40 minutes).Updating Certificate Library Items
For SCEP Certificate Library Items1
Locate SCEP Library Items
Locate existing SCEP Library Items used in your Blueprints.
2
Edit Library Item
Click Edit on the item.
3
Access SAN Section
In the Subject Alternative Name (SAN) section, click Add.
4
Add URI SAN
Add a Uniform Resource Identifier SAN.
5
Enter Strong Mapping ID
Enter this value exactly:
$ADCS_STRONG_MAPPING_ID.6
Save Changes
Click Save.
1
Locate Certificate Library Items
Locate and open assigned Certificate Library Items used in your Blueprints.
2
Edit Certificate Library Item
Click Edit.
3
Access SAN Section
In the Subject Alternative Name (SAN) section, click Add.
4
Add URI SAN
Add a Uniform Resource Identifier SAN.
5
Enter Strong Mapping ID
Enter this value exactly:
$ADCS_STRONG_MAPPING_ID.6
Save Changes
Click Save.
1
Locate Wi-Fi or Ethernet Library Items
Locate and open assigned Wi-Fi or Ethernet Library Items used in your Blueprints.
2
Edit Library Item
Click Edit.
3
Configure Identity Certificate
Scroll to the Identity Certificate section and click Configure.
4
Access SAN Section
In the Subject Alternative Name (SAN) section, click Add.
5
Add URI SAN
Add a Uniform Resource Identifier SAN.
6
Enter Strong Mapping ID
Enter this value exactly:
$ADCS_STRONG_MAPPING_ID.7
Save Changes
Click Save.
Deployment and Certificate Reissuance
After updating Library Items:- Iru Endpoint automatically reissues certificates to devices assigned the updated Library Items through their Blueprints
- New certificates will contain the user’s SID in the SAN field, satisfying Microsoft’s strong certificate mapping requirements
- Any reconfigured WiFi or Ethernet connections will automatically use the new certificates
Considerations
Network Connectivity Impact: Incorrectly updating certificates used for network connectivity can cause devices to disconnect from the network. Ensure you have a rollback plan before making changes to production Library Items. Testing Requirements: Test these changes on a subset of devices using a test Blueprint with test Library Items before applying changes to production Library Items. This allows you to verify that the new certificates work correctly with your network infrastructure. Timeline Compliance: Microsoft’s enforcement dates are critical:- February 11, 2025: Strong certificate mapping enforcement began by default
- September 10, 2025: Compatibility mode will no longer be supported
onPremisesSecurityIdentifier will appear in user attributes after the next Entra ID SCIM sync (every 20-40 minutes). Plan accordingly for timing.
Certificate Reissuance: After updating Library Items, Iru Endpoint automatically reissues certificates to devices. Monitor your devices to ensure they receive the updated certificates successfully.