This article describes how to map an objectSid certificate for Microsoft Knowledge Base 5014754 (KB5014754) and how Active Directory users' objectSid attributes can be loaded to Smart ID Identity Manager, converted and used to issue new certificates with a strong mapping.

Do the following:

  1. In Identity Manager, add the objectSid attribute to the LDAP data pool. In the field list, select the data type Hexadecimal Text.

  2. Map the LDAP data pool field containing the objectSid to a normal text field in the user data pool.

  3. Create an additional field for the converted SID.

  4. Use a script to convert the hexadecimal representation to the original string value.

// This script can be executed when the user is created, so the representation we want is saved to the user object.
 
def sidHex = BaseDpEmployee_SIDHEX; // For example: '01050000000000051500000016C0EA326BD66204828BA628B40C0000'
 
def sid = ['S'].plus(Integer.parseInt(sidHex.substring(0,2),16)).plus(Integer.parseInt(sidHex.substring(4,16),16)).plus(sidHex.substring(16).split("(?<=\\G.{8})").collect { new BigInteger(it.split("(?<=\\G.{2})").reverse().join(),16) }).join('-')
 
BaseDpEmployee_SID = sid;
 
 
 
// Explanation:
// String sidRevision = Integer.parseInt(sidHex.substring(0, 2), 16)                // 01 = 1
// String ntAuthority = Integer.parseInt(sidHex.substring(4, 16), 16)               // 000000000005 = 5 (big-endian)
// String sidIdentifiers = sidHex.substring(16).split('(?<=\\G.{8})').collect {      // split into groups of 8 (4 bytes), reverse byte order within groups
//      new BigInteger(it.split('(?<=\\G.{2})').reverse().join(), 16)                // 15000000 16C0EA32 6BD66204 828BA628 B40C0000 = 21 854245398 73586283 682003330 3252 (little-endian)
// }.join('-')
// String sid = ['S'].plus(sidRevision).plus(ntAuthority).plus(sidIdentifiers).join('-') // start with S, add everything and join with dashes
 
// Result: S-1-5-21-854245398-73586283-682003330-3252

  1. Add the objectSID attribute to the certificate template. For more information, see Set up certificate template in Identity Manager.

  2. Verify the SID in the 1.3.6.1.4.1.311.25.2 attribute of the issued certificate.

For more information, see Nexus awareness advisory on Microsoft’s update KB5014754.