Further to the notification above, our solution is now available for customers to use. This can be requested through Intercede support or your Intercede account manager.
In addition to the solution described, it can also be used to generate powershell scripts that can be executed separately against an Active Directory that is not accessible directly from the MyID server.
We have a further update on our solution to this issue –
The changes being made by Microsoft will impact many of Intercedes customers so our solution will be designed to be applicable with the minimum of change to existing MyID deployments and across multiple versions of MyID. It is also imperative that the solution does not require re-issuance of existing certificates due to the logistical impact this would create for our customers.
Microsoft have advised that Administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the users Object and have recommended that the X509IssuerSerialNumber value of the certificate used for authentication is considered a strong mapping.
The Intercede solution will
Scan the MyID database for issued certificates that have not yet been processed. The scan can be filtered for specific certificate policies.
For certificates that match the criteria
Parse the certificate data (PKCS#7)
Check it has not expired and determine if it includes windows authentication OID and has a UPN in the Subject Alternative Name
For certificates that pass this test, update active directory to add altSecurityIdentities attribute with the value of X509IssuerSerialNumber in the format identified by Microsoft, using the UPN to match the user account
Mark the certificate as ‘processed’ in the MyID database
The solution will be able to be run on a schedule, with the intention that the schedule can be set by a system administrator as required. By running this utility often, any new certificate issuances will automatically be processed. It will also not be required to run on a MyID server, as in some cases it is not possible to access Active Directory directly from the MyID environment. The server that does run this solution will be required to access the MyID database and Active Directory. The solution will be designed to work with MyID v10.8 or later and is expected to be available in October 2022.
What about adding the required attribute (SID) to new certificate issuances?
We understand that this is a recommended approach to overcoming the issue but it has significant drawbacks
Changes are required to MyID to import the user SID from Active Directory (or support the addition via APIs/UI) and also incorporate the information to certificate requests sent from MyID to the certificate authority. These changes may impact each customer in a different way, due to differing business process & integration requirements – for example not all installations of MyID have access to Active Directory and many have user data populated through APIs driven by in-house systems, or direct input by operators.
The changes would also need to be supported by all certificate authorities used by affected customers
Reissuance of certificates would be required to replace existing certificates – causing major logistical problems for our customers and impact to each end user with certificates for windows authentication
For the reasons above, we are focusing on a ‘one size fits all’ solution which minimizes impact. We will consider changes to future product versions to incorporate the SID as a core attribute and enable support in our PKI connectors.
We would like to update you with further information about this issue. This has proven to be a very challenging problem for us to reproduce, and extensive testing has taken place against a range of deployment configurations of MyID including split application, web and database tiers, web tiers in DMZ configurations and different combinations/permutations of Distributed Component Object Model (DCOM) configuration both with and without ‘DCOM hardening’ (KB500442) enabled.
Overall, we can be certain that many customers have applied these Windows server updates and not experienced any problem. Two customers had been affected but both were able to be resolved by reconfiguring DCOM settings on MyID Servers. In one case, the database server was affected but not other application server tiers.