Description
Microsoft has decided to implement strong certificate mapping requirements to increase the security of certificates that are issued from Microsoft CA's. This can impact our client certificate deployment via SCEP or the ADCS Connector.
As of 11 February 2025, changes announced by Microsoft regarding the behavior of Active Directory Kerberos Key Distribution Centers (KDCs) on Windows Server 2008 or later will take effect. Domain controllers will operate in Full Enforcement mode when the February 2025 Windows security update is installed, and authentication will be denied if a certificate cannot be strongly mapped. However, Compatibility mode can still be used until 10 September 2025.
In this article, we are going to outline how to use Compatibility Mode for the short term.
Using Compatibility Mode
If we are not ready to implement the changes to Jamf Pro to allow strong certificate mapping to work just yet, we can enable Compatibility Mode on our Microsoft Domain Controller hosting the NPS service by doing the following:
On the Microsoft server running the NPS service, run the Regedit command to open the Registry Editor.
Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.If there is not a StrongCertificateBindingEnforcement object already there:
Right-click on the Kdc folder.
Select New.
Select DWORD (32-bit) Value.
Give it a name of StrongCertificateBindingEnforcement.
Right-click the StrongCertificateBindingEnforcement object and Modify it.
Set the Value to 1.
Leave the Base set to Hexadecimal.
Press OK and then close out Registry Editor.
No restarts of anything are needed, and certificates that do not have strong certificate mapping will be allowed to authenticate until Microsoft's deadline in September of 2025.
Note: We should stress that this workflow is only temporary, and we will want to implement Strong Certificate Mapping in Jamf Pro soon, following: Supporting Microsoft Active Directory Strong Certificate Mapping Requirements.
More Resources