We have a further update on our solution to this issue –
The changes being made by Microsoft will impact many of Intercedes customers so our solution will be designed to be applicable with the minimum of change to existing MyID deployments and across multiple versions of MyID. It is also imperative that the solution does not require re-issuance of existing certificates due to the logistical impact this would create for our customers.
Microsoft have advised that Administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the users Object and have recommended that the X509IssuerSerialNumber value of the certificate used for authentication is considered a strong mapping.
The Intercede solution will
- Scan the MyID database for issued certificates that have not yet been processed. The scan can be filtered for specific certificate policies.
- For certificates that match the criteria
- Parse the certificate data (PKCS#7)
- Check it has not expired and determine if it includes windows authentication OID and has a UPN in the Subject Alternative Name
- For certificates that pass this test, update active directory to add altSecurityIdentities attribute with the value of X509IssuerSerialNumber in the format identified by Microsoft, using the UPN to match the user account
- Mark the certificate as ‘processed’ in the MyID database
The solution will be able to be run on a schedule, with the intention that the schedule can be set by a system administrator as required. By running this utility often, any new certificate issuances will automatically be processed. It will also not be required to run on a MyID server, as in some cases it is not possible to access Active Directory directly from the MyID environment. The server that does run this solution will be required to access the MyID database and Active Directory. The solution will be designed to work with MyID v10.8 or later and is expected to be available in October 2022.
What about adding the required attribute (SID) to new certificate issuances?
We understand that this is a recommended approach to overcoming the issue but it has significant drawbacks
- Changes are required to MyID to import the user SID from Active Directory (or support the addition via APIs/UI) and also incorporate the information to certificate requests sent from MyID to the certificate authority. These changes may impact each customer in a different way, due to differing business process & integration requirements – for example not all installations of MyID have access to Active Directory and many have user data populated through APIs driven by in-house systems, or direct input by operators.
- The changes would also need to be supported by all certificate authorities used by affected customers
- Reissuance of certificates would be required to replace existing certificates – causing major logistical problems for our customers and impact to each end user with certificates for windows authentication
For the reasons above, we are focusing on a ‘one size fits all’ solution which minimizes impact. We will consider changes to future product versions to incorporate the SID as a core attribute and enable support in our PKI connectors.