Blog

Important update for all using certificates for SingleSign-on

IntroductionDo you use certificate-based authentication (CBA), for example to validate intranet or file/print servers? Then you need to read on! As we mentioned in January [link], Microsoft has been working on a number of initiatives to make the use of certificates via Active Directory Kerberos Key Distribution (KDC) even more secure. One of these initiatives […]

Læsetid: 5 minutter

15. aug 2025

Yusuf Celik

Important update for all using certificates for SingleSign-on – featured image

Introduction
Do you use certificate-based authentication (CBA), for example to validate intranet or file/print servers? Then you need to read on!

As we mentioned in January [link], Microsoft has been working on a number of initiatives to make the use of certificates via Active Directory Kerberos Key Distribution (KDC) even more secure. One of these initiatives is that client certificates must include a user security identifier (SID). This change, also referred to as “strong mapping”, will take effect with Microsoft’s Windows update after 10 September 2025.

Certificates that do not contain an SID will no longer be validated. Users with old certificates will lose access to Wi-Fi, VPN, and intranet resources via Kerberos SSO.

In this blog post, we describe how you can check whether your solution is ready for 10 September 2025. We also explain how to implement the update in Intune, Jamf, MobileIron, and Workspace ONE.Remember, it can take a long time to update all client certificates. We strongly recommend that you start updating your systems now. The work is likely to involve several departments:

Network & Security
Active Directory / Identity team
Endpoint / Client management

If you have any questions or need assistance, you are always welcome to write to us at [email protected].

How to check if you are affected

Log in to your domain controller with administrator rights.
If the “System” event log contains ID 39, 41, 40, 48, or 49, you will be affected by the strong mapping requirement.

What happens if you are not ready?

From 10 September 2025, all authentication attempts using certificates without a valid SID will be rejected by Domain Controllers. Wi-Fi, VPN, login, and access to intranet resources via Kerberos SSO will fail for users and devices with old certificates lacking an SID.

All platforms that use Kerberos for SSO will be affected: Windows, Mac, iOS, and Android.

What should I do now?

We recommend implementing strong mapping in the following steps:

Update the SID in your MDM solution.
Test the solution by using the new certificate from a new device.
Distribute the new certificate to your devices.
Ensure the profile has been deployed to all devices well before 10 September.
Below you will find instructions for updating the SID in the most widely used MDM platforms (Intune, Jamf, Workspace ONE, and Ivanti/MobileIron).)

Microsoft Intune

You need to add a new URI tag to the Subject Alternative Name (SAN) in your SCEP profile(s):

Open the Intune Admin portal.
Go to Devices → Configuration.
Find all “SCEP certificate” policies. There may be several for different platforms, but only edit the profiles for users, not devices.
Update the SCEP profiles by adding a new attribute under Subject Alternative Name (SAN):
– Attribute type: URI
– Value: {{OnPremisesSecurityIdentifier}}
Devices will then need to renew their certificates (for example, by making a change to the SSO profile using the certificate).

Further details. Please see the article: [Implementing Strong Mapping in Microsoft Intune]

Jamf Pro

For both Computers and Devices:

Open the Jamf Pro portal.
Go to Settings → Device Management → Inventory Collection and ensure “Collect user and location information from Directory Service” is enabled.
Go to Settings → Computer Management → Extension Attributes.
Create an extension attribute (e.g., OnPremisesSecurityIdentifier) with the following values:
– Data type = String
– Inventory display = User and location
– Input type = Directory service attribute mapping
– If using Entra ID: Directory service attribute = OnPremisesSecurityIdentifier
– If using classic AD: Directory service attribute = ObjectSID
Find the directory service attribute variable for the extension attribute you just created (e.g., $EXTENSIONATTRIBUTE_4822).
The field will update for devices when Jamf Pro runs the next inventory update for the device.
Go to Configuration Profiles and select the profiles used for Kerberos SSO.
In each profile:
– Go to either SCEP or Certificate payload.
– Go to Subject Alternative Name Value.
– Add a SAN URI TYPE with SAN NAME:
tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_#
(replace # with the value from step 5)

Further details: [Supporting Microsoft Active Directory Strong Certificate Mapping Requirements]

MobileIron

This guide covers the MobileIron on-prem product. If you are using MobileIron Cloud (Ivanti Neurons for UEM), please contact us for assistance.

Open the Admin portal.
Go to Policies & Configs → Configurations.
Select the Certificate Enrollment profile that issues certificates from your PKI and is used for Kerberos SSO.
Enable Microsoft User Security Identifier in the profile.
Devices will then need to renew their certificates (for example, by making a change to the SSO profile using the certificate).

Further details: [Impact of KB5014754 on MobileIron Core]

Workspace ONE

Workspace ONE offers different solutions. The general approach is:

Open the Admin portal.
Go to All Settings → System → Enterprise Integration → Certificates Authorities → Request Templates.
For each template used for certificates for AD validation, enable Include Security Identifier (SID). Save the updated template.
Devices will then need to renew their certificates (for example, by re-pushing the profile(s) containing the Kerberos SSO configuration).

Further details: [Changes in Certificate Management in UEM for Microsoft]

Note: There are different solutions depending on whether you are using ADCS or SCEP/NDES. Also, only the latest versions of Workspace ONE support the SID extension with SCEP.