IDManagement.gov is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.
Upcoming changes to Microsoft AD will impact smart card authentication as it relates to PIV unique identifiers, our implementation guidance will need to be updated to account for exceptions to use of "strong" identifiers.
Details of Issue:
This issue has been ongoing since Microsoft vulnerability reports regarding spoofing of certificate based authentication as they do not do full RFC 5280 path processing. CISA and other defense organizations have worked with Microsoft to develop a work around that will maintain operability of PIV to include "weak identifiers" based on being issued from trusted CAs. These work arounds include registry key modifications for use of specific PIV issuers, OIDs and identifiers, and our implementation guidance needs to be updated to account for these changes.
An internal Microsoft and Government whitepaper at the provided connect.gov link includes needed guidance on the new triple mapping to be used for weak altsecids in AD.
If a New Page or Content is Needed, Expected Outcomes:
New content on:
system requirements for upcoming Microsoft patches (Windows Server 2019 and above)
identification of intended audience to include those that have been operating in compatibility mode since june 2019 patches and those that leverage UPN or weak altsecids for user mappings
identify strong identifiers and inform population that migration to use of these strong altsecids prevents the need for any work around
explain the registry key work around and provide examples of the triple mapping registry keys
inform the audience of USaccessSIP interfaces to facilitate user mappings
Description of Issue:
Upcoming changes to Microsoft AD will impact smart card authentication as it relates to PIV unique identifiers, our implementation guidance will need to be updated to account for exceptions to use of "strong" identifiers.
Details of Issue:
This issue has been ongoing since Microsoft vulnerability reports regarding spoofing of certificate based authentication as they do not do full RFC 5280 path processing. CISA and other defense organizations have worked with Microsoft to develop a work around that will maintain operability of PIV to include "weak identifiers" based on being issued from trusted CAs. These work arounds include registry key modifications for use of specific PIV issuers, OIDs and identifiers, and our implementation guidance needs to be updated to account for these changes.
References (Docs, Links, Files):
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 https://www.cisa.gov/guidance-applying-june-microsoft-patch-tuesday-update-cve-2022-26925 https://community.connect.gov/pages/viewpage.action?pageId=2471068012
Possible Solution
An internal Microsoft and Government whitepaper at the provided connect.gov link includes needed guidance on the new triple mapping to be used for weak altsecids in AD.
Updates need on this page: https://www.idmanagement.gov/implement/scl-windows/
If a New Page or Content is Needed, Expected Outcomes:
New content on:
Link to the Content Page for Contributors:
https://github.com/GSA/idmanagement.gov/blob/0814-SCauth-Updates/_implement/scl-windows.md
@dproudGSA @rsherwood-gsa for awareness, link to MD page we will be edited is right above this tag.