Microsoft adoption of AD/DC strong certificate-based authentication (KB5014754) and its impact to Entrust Products

• For issuing new certificates that include the SID attribute, upgrade your Identity Enterprise product to the following patches:
  • Identity Enterprise R13.0 Server patch# 452877
  • Identity Enterprise R13.0 Self-Service Module patch# 452879

• For legacy certificates, go to TrustedCare > Related Products and download the “Legacy Certificate Remediation tool.” Follow the instructions to update Active Directory accounts with Microsoft recommended “strong attribute” (X509IssuerSerialNumber) value mapping.

Notes:

• Enhancement patches have not been implemented for earlier IdentityGuard end-of-support product releases
• The Legacy Certificate Remediation tool and procedures should be used for legacy certificates issued without the OID/SID attribute

• For issuing new certificates that include the SID attribute, no product update is needed. The SID extension in certificates is supported through Cert Type variables, but the value should be supplied as DER encoded. Alternatively, upgrade to Entrust Security Manager 10.0.30 (recommended) that helps supplying the SID value in clear text using the Entrust Security Manager Administration.
• For legacy certificates, go to TrustedCare > Related Products and download the “Entrust PKI altSecurityIdentities Mapping Tool.” Follow the instructions to update Active Directory accounts with the recommended “strong” attribute (X509IssuerSerialNumber) value mapping. We recommend running the mapping tool periodically (e.g., daily with log events filter range set to the last 24 hours) to capture the list of users who authenticate with certificates without the SID extension or strong authentication mapping in AD.

• Upgrade to Entrust Security Manager Administration 10.0.30 (recommended) which allows entering SID value in clear text. If you’re using previous versions of Entrust Security Manager Administration 10.0.x, you must enter the SID value in DER encoded format.

• Upgrade to Entrust Administration Services 10.2.1 (recommended) for CSR-ES and WNES to support including SID in the CSR.
• UMS and URS will prompt for SID if the Cert Type variable is used. The Entrust Administration Services 10.2.1 patch will accept the SID value in plain text and encode it appropriately.
• MDMWS will accept the SID value if clients send the value as part of the request in encoded format.
• MDM-SCEP will accept the SID value if SCEP clients send the value as part of the request.
• CSR-SCEP will accept the SID value if SCEP clients send the value as part of the request.
• AES will retrieve the SID from AD and include it in the certificate.

• Upgrade to Entrust Certificate Enrollment Gateway 1.6.1 (recommended) for WSTEP to support including SID in the CSR.

• No corrective patches are available. Certificate Agent customers who want to have SIDs automatically added to certificates during enrollment or renewal must use AS-AES. AS-AES is the Certificate Agent administrative service that handles retrieving the user’s SID from Active Directory and passing it to Entrust Security Manager for inclusion in the requested certificate.

• No corrective patches are available. Certificate Agent customers who want to have SIDs automatically added to certificates during enrollment or renewal must use AS-AES. AS-AES is the Certificate Agent administrative service that handles retrieving the user’s SID from Active Directory and passing it to Entrust Security Manager for inclusion in the requested certificate.

• No corrective patches are available. Go to TrustedCare > Related Products and download the “Entrust PKI altSecurityIdentities Mapping Tool.” Follow the instructions to update Active Directory accounts with the recommended “strong” attribute (X509IssuerSerialNumber) value mapping.

• Upgrade to DCMS 3.0 (recommended) which allows users to add the SID value.

• No product updates are needed. For other on-premises Entrust products, follow the appropriate product updates.

• No product updates are needed.