Versasec Notice: CBA Changes on Windows Domain Controllers

Date: 2022-12-08
Author: Anders Adolfsson, Global Product Manager

Versasec Notice: CBA Changes on Windows Domain Controllers

Versasec addresses Microsoft KB5014754 and notifies customers they might need to reissue their smart card logon certificates or correctly map them. It is recommended that action is taken as soon as possible, avoiding the May 9, 2023 cutoff where certificates that don’t meet the specified mapping criteria will fail authentication.

UPDATED 7/7/2023

6/30/23: Changed Full Enforcement Mode date from November 14, 2023 to February 11, 2025 (these dates were previously listed as May 19, 2023 to November 14, 2023)

Microsoft released KB5014754 to fix vulnerabilities CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923. All certificates that do not meet the strong mapping criteria after May 9, 2023 will fail authentication.

If you deploy KB5014754 on your domain controllers, the certificates that
do not meet “Full Enforcement Mode” are logged. Until May 9, 2023, you can run in “Compatibility Mode” (default) but after this date “Full Enforcement Mode” applies. “Disabled Mode” can only be used until February 14, 2023.

Ways to solve

Issue new certificates with AD and PKI connected

  • Verify that you have KB5014754 deployed on your domain controllers and on the MSCA server.
  • Verify that newly (post patch deployment) issued certificates contain the new field with a special OID (1.3.6.1.4.1.311.25.2) where the user’s SID from AD is added.
  • New certificates are now mapped with each user’s respective SIDs.
visual 1

The above method does not apply for certificates where the PKI is not in contact with the underlying AD.

Issue new certificates without AD and PKI connected

  • Verify that you have KB5014754 deployed on your domain controllers.
  • Configure vSEC:CMS/vSEC:CLOUD to collect and pass the user SID from AD into the certificate request. This is done using Customized Certificate Request Fields.
  • Configure your PKI to acknowledge and include the new field with a special OID (1.3.6.1.4.1.311.25.2) where the user’s SID from AD is added.

Existing certificates altSecurityIdentities mapping

It might not be possible to re-issue all existing non compliant certificates for all users before the deadline. For these situations using the altSecurityIdentities mapping is a possible solution. Certificates can be mapped with the user using altSecurityIdentities which makes it possible to add a strong mapping to already existing certificates that do not have the SID added. See the Microsoft guide (KBKB5014754 – Certificate mappings – Manually map certificates) on how to perform the manual mapping.

visual 2

Contact Us

If you have further questions or require assistance, contact us via email or through our website.

vSEC:CMS

Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Share this article