Kerberos Distribution Center - Certificate mapping weak security

2 users found this article helpful

Symptoms

On the Microsoft Windows domain controller(s), the following event is logged as a warning or error when Awingu is configured to enable single sign-on (SSO):

Event ID 39 - Source: Kerberos-Key-Distribution-Center
The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping.

Cause

When SSO is enabled, Awingu generates a certificate for each user to authenticate to the domain-joined Windows machines.

However, Microsoft has rolled out an update on May 10, 2022 for Microsoft Windows Server (KB5014754: Certificate-based authentication changes on Windows domain controllers) which requires a stricter and more secure implementation for certificate-based authentication.

After installing, the servers will act in "compatibility" mode. the log entries will start to appear in the Windows Event Viewer when a user tries to authenticate against the Microsoft Windows Domain Controllers. There is no functional consequence.

As of May 9, 2023; Microsoft will change the mode to "Full enforcement". From this point onwards or when the setting has already been adjusted to fully enforce this security measure at an earlier time, single sign-on will fail.

More info: Microsoft documentation on KB5014754

Resolution

This problem has been addressed from version 5.4 onwards.

 

Was this article helpful?

Tell us how we can improve it.