Skip to main content
 
 
 
Splunk Lantern

Preparing for certificate-based authentication changes on Windows domain controllers

 

As an IT administrator, you are responsible for ensuring that users are able to authenticate using smart cards. In the process of authentication, many sites are currently mapping user certificates in Active Directory using only the subject name or user ID, which is not considered a strong certificate mapping. 

Microsoft is planning to introduce a change to certificate authorities in February 2025 that may prevent your users from logging in if a certificate fails the strong mapping criteria. This issue can affect any users who log in using on-premises Microsoft services and smart cards. Customers (particularly those Department of Energy or emergency management sectors) might face similar challenges with certificate mapping.

Microsoft recommends using the serial number of the certificate as a unique identifier to map it to a user account and improve the strength of mapping. This article provides a shortcut to implement the recommended mapping to X509IssuerSerialNumber using the Splunk platform, Excel, and PowerShell.

How to use Splunk software for this use case

To automate the process of mapping the serial numbers to user accounts, you can use the Splunk platform to extract the usernames and certificate serial numbers from the Active Directory logs. You can then create a spreadsheet in Excel to manipulate the serial numbers, and generate a PowerShell command to map them to the corresponding users. This method of automating the mapping process saves significant time and effort compared to manual mapping.

  1. Run the following search, replacing <hostn> with all of your Active Directory domain controllers:
    host IN(<host1>,<host2>...) EventCode=39 | table User, Certificate_Serial_Number
    
  2. Export the results as a CSV.
  3. Copy and paste the results into columns A and B of the template Fednet_StrongMapping.xlsx. Drag the formulas in C through H down to match the number of entries in your Splunk platform search. You may need to modify the formula in column C to properly format your serial numbers if they are not 8 digits long. 
    8 Digit Serial
    =MID(B1,7,2)&MID(B1,5,2)&MID(B1,3,2)&MID(B1,1,2)
    10 Digit Serial
    =MID(B1,9,2)&MID(B1,7,2)&MID(B1,5,2)&MID(B1,3,2)&MID(B1,1,2)
    12 Digit Serial
    =MID(B1,11,2)&(B1,9,2)&MID(B1,7,2)&MID(B1,5,2)&MID(B1,3,2)&MID(B1,1,2)
    
  4. Run the resulting commands from a Domain Controller using PowerShell. 

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.