Microsoft Update KB5014754: Key Changes to Certificate Authentication in Windows Servers

  • Thread Author
In a recent announcement from Microsoft, detailed in the update KB5014754, significant changes concerning certificate-based authentication for Windows domain controllers were presented. This update affects several versions of Windows Server, including 2012 R2, 2016, and 2019, extending the scope to future versions like Windows Server 2022 and version 20H2. The changes revolve around security vulnerabilities related to Kerberos Key Distribution Center (KDC) and necessitate updates and adjustments to system configurations by administrators.

A Timeline of Changes

The update comes with a change log that highlights critical adjustments and their respective dates:
  • September 10, 2024: Clarified the beginning of Full Enforcement mode set for February 11, 2025, with support for Compatibility mode until September 10, 2025.
  • July 5, 2024: Inclusion of information about the SID Extension for the Key Distribution Center registry key.
  • October 10, 2023: Introduction of Strong Mappings Default Changes in the update timeline.
  • June 30, 2023: Rescheduled Full Enforcement mode from November 14, 2023, to February 11, 2025.
  • January 26, 2023: Revised the removal date of Disabled mode to April 11, 2023.

Understanding the Security Enhancements

The backdrop of these changes lies in the critical vulnerabilities identified as CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923. These vulnerabilities could potentially lead to elevation of privileges during certificate-based authentication requests through KDC, mainly due to gaps in handling certain naming conventions, like the dollar sign ($) in machine names. The changes are aimed at eliminating the potential for emulated certificates, which pose serious threats to network security.

Key Actions for Administrators

To safeguard systems, Microsoft emphasizes the necessity for administrators to take the following steps:
  1. Update Servers: Ensure all domain controllers and Active Directory Certificate Services are updated to the May 10, 2022, security patches that facilitate stronger certificate mapping.
  2. Transition to Full Enforcement Mode: As of February 11, 2025, all devices will transition to Full Enforcement mode, where the lack of strong mappings will result in authentication denial.

Audit Events and Error Management

The update introduces new audit events to monitor certificate mappings:
  • Event ID 39 and 41: Indicates failures in strong certificate mappings, requiring possible replacement or direct mapping via explicit methods.
  • Events indicating pre-existing accounts: Warns on certificates issued before user creation times, leading to potential authentication failures.

Detailed Certificate Mappings

Administrators can manually map certificates in Active Directory using the altSecurityIdentities attribute, which allows for strong identification methods versus weaker, potentially insecure mappings that are based on usernames or email addresses. The recommended strong mappings include:
  • X509IssuerSerialNumber
  • X509SKI
  • X509SHA1PublicKey
This structured mapping ensures secure authentication and aligns with Microsoft’s broader security framework.

The Transition Phases

The transition includes phases that begin with Compatibility mode upon installing the May 10, 2022, updates, leading eventually to Full Enforcement, which Microsoft plans to fully implement by February 2025. Until that time, administrators can opt for Compatibility mode but need to stay vigilant for audit events that can signal issues with certificate mappings.

Troubleshooting and Registry Keys

The update provides guidance on some common troubleshooting scenarios. For instance:
  • If sign-in issues arise after installing security updates, administrators should consult the Kerberos Operational log to identify failing domain controllers and rectify any certificate mapping discrepancies.
  • Specific registry keys have been designated to change KDC to either Disabled, Compatibility, or Full Enforcement modes, though the use of Disabled mode is discouraged and will cease from April 11, 2023.

Conclusions and Broader Implications

These updates underscore Microsoft’s commitment to enhancing security within its server environments. However, they also impose a responsibility on system administrators to navigate these changes carefully, ensuring proper implementation to avoid disruptions. The move towards more robust authentication schemes demonstrates a proactive stance against evolving cybersecurity threats.
Ultimately, if your organization relies on Windows domain controllers, addressing these certificate-based authentication changes should not be a tick-box exercise but a structured reinforcement of your cybersecurity framework. Discussion and knowledge sharing among peers will be key in adapting to these changes, and the community at WindowsForum.com is an excellent place to begin that dialogue.
Source: Microsoft Announcements Key dates updated for Certificate-based authentication changes on Windows domain controllers