Do you use Kerberos SSO with certificate-based authentication (CBA), e.g., for validating intranet and file/print servers? If so, read on!
Since May 2022, Microsoft has been working on initiatives to make the use of certificates via Active Directory Kerberos Key Distribution (KDC) more secure. Starting February 11, 2025, client certificates must include a user security identifier (SID). This change affects all clients, including Windows, Mac, iPhone, and Android. Microsoft refers to this change as “strong mapping.”
The SID must be included in your certificates via your device management solution (MDM). In this blog post, we describe how you can implement the update in Intune, MobileIron, Jamf, and Workspace ONE.
We recommend activating compatibility mode on your domain controllers before installing Microsoft’s February 2025 update. This will delay the requirement until September 10, 2025, giving you more time to prepare your solution. You can read more about compatibility mode at the bottom of this blog post.
Implementation steps for strong mapping:
1. Activate compatibility mode
2. Update the SID in your MDM solution
3. Test the certificate on a new device
4. Distribute the new certificate to devices
5. Ensure the profile is distributed to all devices well before September 10, 2025
If you have questions or need assistance, feel free to contact us.
Microsoft Intune
A new URI tag must be added to the Subject Alternative Name (SAN) in your SCEP profiles:
1. Open the Intune Admin portal.
2. Navigate to Devices->Configuration.
3. Find all “SCEP certificate” policies. Adjust only the profiles for users, not devices.
4. Modify the SCEP profiles by adding a new attribute under Subject Alternative Name:
- Attribute type: URI
- Value:
{{OnPremisesSecurityIdentifier}}
5. Devices will need to renew their certificates, e.g., by creating a new SSO profile or modifying an existing one.
For more information on updating your SCEP profile, refer to this article: [Implementing Strong Mapping in Microsoft Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-implementing-strong-mapping-in-microsoft-intune/ba-p/4053376)
Jamf Pro
For both ‘Computers’ and ‘Devices’:
1. Open the Jamf Pro console.
2. Go to Settings -> Device Management -> Inventory Collection and ensure “Collect user and location information from Directory Service” is enabled.
3. Navigate to Devices -> Device Management -> Extension Attributes.
4. Create an extension attribute (e.g., OnPremisesSecurityIdentifier) with:
- Data type: String
- Inventory display: User and location
- Input type: Directory service attribute mapping
- If using Entra ID, set Directory service attribute:
OnPremisesSecurityIdentifier
- If using classic AD, set Directory service attribute:
ObjectSID
5. Locate the directory service attribute variable for the created extension attribute (e.g., `$EXTENSIONATTRIBUTE_4822`).
6. The field will update during the next inventory update.
7. For each Kerberos SSO profile:
- Go to the SCEP or Certificate payload section.
- Under Subject Alternative Name Value, add:
tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_#
(Replace `#` with the variable value from step 5).
For more details, see Jamf’s article: [Supporting Microsoft Active Directory Strong Certificate Mapping Requirements](https://learn.jamf.com/en-US/bundle/technical-articles/page/Supporting_Microsoft_Active_Directory_Strong_Certificate_Mapping_Requirements.html)
MobileIron
This guide covers MobileIron on-prem. For MobileIron Cloud (Ivanti Neurons for UEM), contact us for assistance.
1. Open the Admin portal.
2. Navigate to Policies & Configs -> Configurations.
3. Select the Certificate Enrollment profile used for Kerberos SSO.
4. Enable Microsoft User Security Identifier in the profile.
5. Devices will need to renew their certificates, e.g., by modifying the SSO profile using the certificate.
For Ivanti’s guide, refer to: [Impact of KB5014754 on MobileIron Core]
Workspace ONE
If using ADCS CA integration instead of SCEP/NDES:
1. Open the Admin portal.
2. Go to All Settings -> System -> Enterprise Integration -> Certificates Authorities -> Request Templates.
3. For each template used for Kerberos SSO certificates:
- Enable Include Security Identifier (SID).
- Save the updated template.
Devices will need to renew their certificates, e.g., by re-pushing the profile with Kerberos SSO settings.
For AD CS configuration, refer to Omnissa’s guide: [Omnissa Configuration Guide]
If using SCEP/NDES, Omnissa’s solution will be available in version 24.10.
Activate Compatibility Mode
Microsoft provides guidance here: [Certificate-Based Authentication Changes on Windows Domain Controllers]
Essentially, on all domain controllers, set the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc
StrongCertificateBindingEnforcement = 1
Refer to this section for more details: [Registry Key Details]