Notes from the field: The Kerberos chronicles, the one with certificate-based authentication

If you’ve read my previous Kerberos chronicles blogs you see a trend with the Microsoft patches, hardening updates and with this one the upcoming strong mapping / full enforcement mode of certificate-based authentication. See the following article for explanation: KB5014754—Certificate-based authentication changes on Windows domain controllers – Microsoft Support

This one is going to have a big impact if left unchecked and doesn’t get the proper attention it needs.

An example is being described here: Certificate-Based Authentication Changes and Always On VPN | Richard M. Hicks Consulting, Inc. (

Some of the upcoming troubles also arise with VDI solutions like VMware Horizon with the integration of True SSO: The Impact of Microsoft Security Update (KB5014754) on Customers Utilizing Certificate-Based Authentication, Including Smart Cards (91595) (

And the same goes for Citrix Virtual Apps and Desktops with the integration of FAS: FAS: Information about Microsoft KB KB5014754/CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923 (

The current timeframe has switched from May 9 to November 14, or later (later… oh boy…)

Advisement is to look at your certificate-based authentication setup and refresh those certificates, you will want to have the new SID Object Identifier (OID) added before the enforcement mode is kicking in. Take a good look at those logs beforehand and after!

Some extra information:

Certificate Requirements and Enumeration | Microsoft Learn

Security identifiers | Microsoft Learn

Hope it helps!