Views:

Applies to Product – Dynamics 365 for Finance and Operations (on-premises)


What’s happening?
Customers are experiencing Certificate Warning 39 related to certificate-based authentication changes on Windows domain controllers, specifically in the context of using short-lived certificates issued by Azure AD for VPN authentication.


Reason:
The underlying cause of this is that end-users using short-lived certificates issued by Azure AD to perform certificate-based authentication for VPN generate this audit event on Domain Controllers because the certificates lack a strong (secure) mapping to the user. This lack of a strong mapping exposes an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request.


Resolution:

  1. Follow the steps outlined in KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support.
  2. Manually map the certificate to a user for testing. This can be done via all the methods available in the altSecurityIdentities attribute as described in Microsoft Learn.
  3. Ensure that the user's SID from their on-premises Security Identifier is added to all short-lived certificates used for VPN.
  4. Verify that the new certificate properties are visible in production to prevent new Kerberos-Key-Distribution-Center events in the System event logs of the KDCs.
  5. If the issue persists, consider re-running the steps to create the certificate templates for the affected systems, which should ensure that the necessary certificate-based authentication is in place for future certificate rotations, allowing for the removal of the AD properties.
If further assistance is needed, please reach out to Microsoft Support.