Xca certificates no longer accepted - KDC February update.

[Tuteksik]

Hi,
I have such problem, I have NPS on windows 2022, It supports wifi connections in eap-tls wpa2-enerprise mode based on the certificates of a domain user these certs are created in XCA. The user has a cert set up as SAN=UPN with an RSA 2048 key generated and everything worked for me until last week. And now I'm getting an Event 6273 error Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

On the event viewer I see in the system error ID 39 Kerberos-Key-Distribution-Center it says that certification is valid but cannot be mapped to user SID.
Do you know that error, how to fix this?

Thanks

[Tuteksik]

Hi,
I have added to 'X509v3 Subject Alternative Name' new line with OID 1.3.6.1.4.1.311.25.2 and domain user SID:

otherName:msUPN;UTF8:user@domain.local otherName:ms-ntds-sec-ext;UTF8:S-1-5-56-3494754337-388234544-429167765-1670

But certificates are still rejected from domain controller: event viewer error 39.
Could anyone help me reconfigure the certs to meet requirements with KB5014754 update?

[sebaeee]

I have the same problem, same topology, did you find the error?

[Tuteksik]

Unfortunately not, I learned that 1.3.6.1.4.1.311.25.2 is not an OtherName subtype - it is an extension type, and XCA doesn't support defining custom extensions.

It appears that XCA can no longer be used in the windows server environments, a pity because it is a very useful tool.

[chris2511]

XCA doesn't support defining custom extensions.

I don't think so.
I propose to

1. import a Microsoft NTDS AD objectSid enabled request
2. go to the extnsions tab, click "Show config"
3. Copy the `ms-ntds-obj-sid=DER:30......" line
4. Create a new certificate
5. go to the extensions tab, click "Edit"
6. Paste the line
7. Insert everything else for the certificate.

You could create an empty template and insert the line there and apply it for each certificate

Or you could use line 22 - 38 from https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/ in the "Edit" area of the "Advanced" tab, which is much more readable, especially when the sid must be modified:

1.3.6.1.4.1.311.25.2   = ASN1:SEQUENCE:NTDSCASecurityExt
subjectAltName         = @alt_names

[ alt_names ]
# Important value
DNS.1 = hostname123498.example.org
DNS.2 = hostname123498.subnet.example.org
# hardcoded text until the sid
URI.1 = tag:microsoft.com,2022-09-14;sid:S-1-5-21-2059058832-2300889872-1288252972-490382

[ NTDSCASecurityExt ]
# The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ]
szOID_NTDS_OBJECTSID = EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1
# Important value
key = EXPLICIT:0,OCTETSTRING:S-1-5-21-2059058832-2300889872-1288252972-490382

[Tuteksik]

Hi,

I have created new user cert, with:
X509v3 Subject Alternative Name: otherName:msUPN;UTF8:user131@domain.pl
Then in advance section on the edit page I added:

1.3.6.1.4.1.311.25.2   = ASN1:SEQUENCE:NTDSCASecurityExt
subjectAltName         = @alt_names

[ alt_names ]
# Important value
UPN = user131@domain.pl
# hardcoded text until the sid
URI.1 = tag:microsoft.com,2022-09-14;sid:S-1-5-21-3494754337-38824544-439167765-1670

[ NTDSCASecurityExt ]
# The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ]
szOID_NTDS_OBJECTSID = EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1
# Important value
key = EXPLICIT:0,OCTETSTRING:S-1-5-21-3494754337-38824544-439167765-1670

The result is that the new cert have 1.3.6.1.4.1.311.25.2.2 field, and during connection I have no more Kerberos-Key-Distribution-Center error 39.
But on NPS event viewer I have still denied connection event 6273 with reason 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect"

[sebaeee]

How can I make this generate via a template in the CA? I can't find where to add the field 1.3.6.1.4.1.311.25.2 (szOID_NTDS_CA_SECURITY_EXT). Do I need to apply an update to the server?
The only way I’ve found to make it work so far is by adding the attribute altSecurityIdentities = X509N:CN=@domain.com to the AD User object, but I fear that at some point (September?) everything might break

[Tuteksik]

During a certificate creation when you fill everything, go to Advanced tab and hit at the bottom "Edit" and then paste this text from @chriss2511 post, just update with correct SID and DNS or UPN.
After you create the cert, open it and go to "Extensions" tab you should see now something like:
Microsoft NTDS CA Extension: 0=... +.....7....-.+S-1-5-21-3494754337-38824544-439167765-1670

[chris2511]

The "otherName" syntax is:

[ alt_names ]
otherName = msUPN;UTF8:user131@domain.pl 
URI = tag:microsoft.com,2022-09-14;sid:S-1-5-21-3494754337-38824544-439167765-1670

As long as there is only one URI, the .1 may be ommitted

[sebaeee]

I understand, this might work for manual certificate requests against a template, but I have a deployment of 15,000 certificates automatically deployed by AD + CA

[Tuteksik]

Now my certificate extension looks like"

X509v3 Subject Alternative Name:
othername: UPN::user131@domain.pl, URI:tag:microsoft.com,2022-09-14;sid:S-1-5-21-3494754337-38824544-439167765-1670

Still no success, WiFi clients cannot connect, I have the same NPS error 6273 Reason code 16.

[sebaeee]

In my case, I applied this to users who were getting error code 16, using PowerShell in Active Directory:

powershell
Set-ADUser -Identity $upn -Replace @{altSecurityIdentities=$newValue}
where $newValue is X509N:CN=UPN@domain.com in my case (it all depends on what code 39 Active Directory returns).

[Tuteksik]

My UPN is correct, this is the output from the user cmd:

c:\whoami /upn
user131@domain.pl

[Tuteksik]

Finally I found a solution and my wifi based on certificates are working again, this solution is for people who have only a small number of certificates, because they rely on manual mappings.

1. So NTDS extension is not needed, create standard certificate with x509v3 SubjectAlternativeName field.
   2.Double click created certificate, and copy the SHA1 Fingerprint.
   3.Remove all colons from this so we have something like eg: 49287274527FD912760F54381800CFC75B94F310
   4.On active directory assing in attribute 'altSecurityIdentities' manual mapping with this certificate fingerprint, lets say this certificate is for user: user01, so in powershell execute this command:
   set-aduser 'user01' -replace @{altSecurityIdentities="X509:<SHA1-PUKEY>49287274527FD912760F54381800CFC75B94F310"}
   5.You can choose other mapping not only certificate publickey, please read this (only strong mappings are recommended):
   https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
   6.Thats it, wifi conections are working again based on EAP-TLS, no KDC errors ;-)