I'm looking for advice on managing Microsoft's enforcement of strong certificate mapping for smart cards, as it will be included in the next patch. Our PKI team uses Entrust for certificate issuance, and since our certificates are stored in an LDAP that's not Active Directory, we can't implement SID stamping directly from the AD accounts. Additionally, we operate on 2016 Domain Controllers, limiting our use of GPO tuples for strong name-based mapping.
Compounding the issue, users can self-renew their smart card certificates on any day, leading to a high volume of newly issued and renewed certificates. To track this, I've been using Splunk to monitor event code 39 and have manually mapped the AltSecurityIdentities attribute to their respective AD accounts based on the logs from the past month.
I need to set up a synchronization process that will connect to LDAP-A, detect newly issued certificates, and automatically update the corresponding attributes in LDAP-B (AD), specifically the altSecurityIdentities.
Is anyone else navigating this challenge successfully using PowerShell or Python? I'm not a coder at all, so I'm starting to feel overwhelmed.
2 Answers
I totally get your pain, I’ve been doing the most secure method for a while now, so this enforcement didn't affect me much. If you’re using ADCS, new certificates automatically go into the userCertificates attribute, making them pretty easy to access directly from there. Just stick to what you've been doing and keep an eye out for how this update plays out; you should be fine! You might want to write a script to automate some of your current manual checks, though.
One big suggestion: ditch using NPS as your RADIUS solution. It’s outdated and not really the best for new device support anymore. There are modern alternatives out there that would do a better job. Just a thought!
Just saying, NPS is still a viable solution and is being maintained! Probably not the best timing for a huge change.
But seriously, what does that have to do with the specific issue OP is facing? We’re not in a position to overhaul everything right now.