Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft introduced significant changes to Active Directory Certificate Services (AD CS) certificate authentication with KB5014754. These changes enforce strong certificate mapping to address elevation of privilege vulnerabilities related to certificate spoofing. The changes affect organizations that use Microsoft AD CS for certificate-based authentication that relies on user attributes in certificates (for example, Wi-Fi or Ethernet with 802.1X).
Important: As of February 11, 2025, Windows enforces these changes by default. If certificates cannot be strongly mapped to Active Directory accounts, authentication will be denied.

Enforcement Dates and Requirements

Review the following enforcement timeline and certificate requirements before you change Library Items or Connector versions.
Strong certificate mapping enforcement began by default.
Compatibility mode is no longer supported.
All certificates used for Active Directory authentication must include the user’s security identifier (SID) in the Subject Alternative Name (SAN) field.

Who Needs to Take Action?

This applies to customers who use Microsoft AD CS for certificate-based authentication that relies on user attributes in certificates (for example, Wi-Fi or Ethernet with 802.1X).

Prerequisites

Confirm the following before you update the AD CS Connector, SCIM, or Library Items for strong certificate mapping.
Assign users to device records in Iru Endpoint before proceeding with certificate updates.
If you use the Iru Endpoint AD CS Connector for certificates issued from AD CS, install .NET 8 or later on the Windows Server 2019 or newer host that runs the Connector. The Connector host is often not the same machine as your AD CS Certification Authority (CA). For the full requirement list, including TPM or vTPM, see AD CS Connector Server Requirements in AD CS Connector Installation.

Required Steps

Update Iru Endpoint AD CS Connector

This update is only required if you use the Iru Endpoint AD CS Connector to issue certificates.
Strong certificate mapping requires the updated Iru Endpoint AD CS Connector at a supported 2.x version (see the prerequisites above). On Windows Server, download the latest Iru Endpoint AD CS Connector from Integrations > Active Directory Certificate Services (you can use Redownload Connector on the Connector card) and install it on the host. For upgrading an updated Connector on Iru Endpoint, see Updating the Iru AD CS Connector. For replacing the legacy Kandji Connector after tenant migration, see Migrating from Kandji to Iru with AD CS in AD CS Integration: Overview. When a new updated registration appears next to a legacy Connector row, complete Assign servers and remove the legacy entry as described in Migrating from Kandji to Iru with AD CS or Updating the Iru AD CS Connector. For install, sign-in, and registration URL flow, see Initialization in AD CS Connector Installation.

Update SCIM User Directory Integration

These steps pertain to Microsoft Entra SCIM integrations. Native Microsoft Entra ID integrations require no additional configuration.
1

Sign in to the Microsoft Entra admin center

Sign in to the Microsoft Entra admin center.
2

Open Entra ID

Open the portal menu, then select Entra ID.
3

Open Enterprise applications

On the Entra ID menu, select Enterprise applications.
4

Open your SCIM app

Locate and open the SCIM app used with Iru Endpoint.
5

Open provisioning settings

Under Manage, select Provisioning.
6

Open attribute mapping

Under Manage, select Attribute Mapping (Preview).
7

Select Entra users mapping

Select Provision Microsoft Entra ID Users.
8

Show advanced options

Scroll to the bottom, check the box to show advanced options.
9

Edit attribute list

Click Edit attribute list for Provision Microsoft Entra ID Users.
10

Add onPremisesSecurityIdentifier attribute

Add a new field: onPremisesSecurityIdentifier (leave type as String).
11

Save attribute list

Click Save.
12

Start new mapping

Return to Attribute Mapping, scroll down and click Add New Mapping.
13

Configure mapping fields

Configure the mapping:
  • Mapping type: Direct (default)
  • Source attribute: onPremisesSecurityIdentifier
  • Target attribute: onPremisesSecurityIdentifier
14

Save mapping

Click OK, then Save.
The onPremisesSecurityIdentifier will appear in user attributes after the next Entra ID SCIM sync (every 20-40 minutes).

Update Certificate Library Items

For SCEP Certificate Library Items
1

Open assigned SCEP Library Items

In Iru Endpoint, locate SCEP Library Items assigned in your Blueprints.
2

Edit the Library Item

Click Edit on the item.
3

Add SAN value

In the Subject Alternative Name (SAN) section, click Add.
4

Select URI SAN type

Add a Uniform Resource Identifier SAN.
5

Enter strong mapping value

Enter this value exactly: $AD_CS_STRONG_MAPPING_ID.
6

Save changes

Click Save.
For Certificate Library Items using the AD CS Connector
1

Open assigned Certificate Library Items

In Iru Endpoint, locate and open Certificate Library Items assigned in your Blueprints.
2

Edit the Library Item

Click Edit.
3

Add SAN value

In the Subject Alternative Name (SAN) section, click Add.
4

Select URI SAN type

Add a Uniform Resource Identifier SAN.
5

Enter strong mapping value

Enter this value exactly: $AD_CS_STRONG_MAPPING_ID.
6

Save changes

Click Save.
For Wi-Fi or Ethernet Library Items using SCEP or AD CS certificates for EAP-TLS
1

Open assigned Wi-Fi or Ethernet Library Items

In Iru Endpoint, locate and open Wi-Fi or Ethernet Library Items assigned in your Blueprints.
2

Edit the Library Item

Click Edit.
3

Open Identity Certificate settings

Scroll to the Identity Certificate section and click Configure.
4

Add SAN value

In the Subject Alternative Name (SAN) section, click Add.
5

Select URI SAN type

Add a Uniform Resource Identifier SAN.
6

Enter strong mapping value

Enter this value exactly: $AD_CS_STRONG_MAPPING_ID.
7

Save changes

Click Save.

Deployment and Certificate Reissuance

After updating Library Items:
  • Iru Endpoint automatically reissues certificates to devices assigned the updated Library Items through their Blueprints
  • New certificates will contain the user’s SID in the SAN field, satisfying Microsoft’s strong certificate mapping requirements
  • Any reconfigured Wi-Fi or Ethernet connections will automatically use the new certificates

Next Steps

After you save Library Item changes:
1

Validate on test devices

Run the updates on a small test Blueprint before you expand to production.
2

Review the AD CS rollout order (optional)

See AD CS Integration: Overview for the AD CS setup path diagram and rollout order.

Considerations

Incorrectly updating certificates used for network connectivity can cause devices to disconnect from the network.
Test these changes on a subset of devices using a test Blueprint with test Library Items before applying changes to production Library Items.