In May 2022, a security update was introduced that changes the Active Directory Kerberos Key Distribution (KDC) behavior on Windows Server 2008 and later versions when validating certificates during certificate-based authentication. However, there is an option to move back to Compatibility mode until September 2025.
| Note |
|---|
February 11 2025: Full Enforcement mode: If a certificate cannot be strongly mapped, authentication will be denied. Unless updated to this mode earlier, all devices will switch to Full Enforcement. |
More details and information are provided on Microsoft’s support pages here: KB5014754—Certificate-based authentication changes on Windows domain controllers
| Info |
|---|
Nexus has published an awareness advisory to assist customers and partners to better understand the impact and best way to address it. See https://www.nexusgroup.com/nexus-awareness-advisory-on-microsofts-update-kb5014754/ for further information. For more technical details, also see Map objectSid certificate for KB5014754. |