In May 2022, a security update was introduced that changes the Active Directory Kerberos Key Distribution (KDC) behavior on Windows Server 2008 and later when validating certificates during certificate-based authentication. More details and information are provided on Microsoft’s support pages here: KB5014754—Certificate-based authentication changes on Windows domain controllers 

Timeline and phases 

The security update was made available on May 10, 2022, and its enforcement has been rolled out over three stages as follows:

  • May 10 2022: COMPATABILITY MODE: No impact on authentication with certificates issued pre update and still using legacy mapping, however it will begin to create audit events identify certificates that are not compatible with Full Enforcement mode
  • April 11 2023: Enablement PHASE: No impact on authentication with certificates issued pre update and still using legacy mapping, however, will ignore the Disabled mode registry key setting.
  • February 11 2025: Full Enforcement mode: If a certificate cannot be strongly mapped, authentication will be denied. Unless updated to this mode earlier, all devices will switch to Full Enforcement.

Always refer to Microsoft’s KB5014754 article for up to date and detailed timelines. We only provide a high-level summary based on the information at hand at the time of publishing. 

The impact

Nexus sees this as a significant impact for all customers who rely on certificate-based authentication against Microsoft Active Directory and Windows domain controllers.

Failure to act as instructed in Microsoft’s KB5014754 article may lead to disruptions in accessing services that rely on certificate-based authentication against the AD (Active Directory).

After evaluating and weighing up which Nexus use-case impacted and how, we encountered too many variables and factors to provide a blanket solution or assessment.

Therefore, we strongly recommend contacting Nexus to arrange a time to accurately assess and review the way forward based on your unique environment and the type of Nexus service that is used. Please use the contact form below and we will come back to you in timely manner with further recommendations.

We have compiled a short FAQ that can assist you in better assessing the scope and urgency of the impact on your organization and operations:

FAQ 

What Nexus Products and Solutions are affected by KB5014754 update?

All Nexus products or services that are used to create, manage, or distribute digital certificates for certificate-based authentication on servers that run Active Directory Certificate Services and Windows domain controllers, will be impacted.

I have just updated to the latest version of IDM/CM, do we still need to take action?

Yes, though our latest versions of CM (Certificate Manager) and IDM (Identity Manager) made provisions to accommodate for the MS update, it won’t be applied to previously issued user and device credentials created prior to the update. Please contact Nexus at your earliest convenience.

I use Nexus GO services, are the certificates provided compliant with this Microsoft update?

Yes, all our SaaS solutions have been updated and tested for this update. Due to the variable use cases, we still recommend you contact Nexus at your earliest convenience for an assessment.

Do I need to reissue or renew all my certificates after the update?

Though it is recommended by Microsoft, we understand that it is not always feasible nor reasonable to do so. We have solutions that automate the “manual strong mapping” process and recommend contacting Nexus at your earliest convenience.

What will happen after Full Enforcement mode is implemented on February 11, 2025?

By February 11, 2025, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied.

Do I have to upgrade to the latest version of IDM/CM to be compliant?

Ideally yes, but we understand it is not always possible and will try and find the best way forward. Please contact Nexus at your earliest convenience.

Will Nexus charge for the consultation to assess our specific KB5014754 situation?

The initial conversation is a mutually beneficial exercise and Nexus will not bill for it. However, if there is a need to introduce a fix or workaround, the agreed Professional Services terms and fees will apply.

Will the update address my offline and online certificate templates?

The KB5014754 update will only add the new OID extension by default in certificates issued against online certificate templates.

Any offline certificate request will need manual configuration of strong mapping. For example, offline certificate requests are how all MDMs distribute certificates, such as with NDES and Intune. Please refer to the following Microsoft post with suggested workaround.

Nexus awareness advisory on Microsoft’s update KB5014754