Information – Update certificate connector: Strong mapping requirements for KB5014754 – NHSmail Intune

Uncategorised Arpan Das

10/02/2025 17:22:00 PM

Strong mapping is required for all certificates deployed by Microsoft Intune and used for certificate-based authentication against KDC

Devices effected:

Windows
Android
iOS
MacOS

More info: The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that the certificate’s subject alternative name (SAN) must contain a security identifier (SID) extension that maps to the user or device SID in Active Directory. When a user or device authenticates with a certificate in Active Directory, the KDC checks for the SID to verify that the certificate is mapped and issued to the correct user or device. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.

Please consult the following article for more implementation steps. In case of any queries, please raise a ticket via the Helpdesk.