{"id":1284,"date":"2025-10-14T07:09:52","date_gmt":"2025-10-14T05:09:52","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1284"},"modified":"2025-10-18T20:30:30","modified_gmt":"2025-10-18T18:30:30","slug":"when-your-enterprise-pki-becomes-one-of-your-enemies-part-7","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1284","title":{"rendered":"When your Enterprise PKI becomes one of your enemies (Part 7)"},"content":{"rendered":"\n

Hybrid Identity<\/em>\u00a0Protection (HIP) Conference 2025 is over and I presented on the Active Directory and PKI subject again: “Enterprise PKI Today: Friend or Foe”

Now available to watch online: Enterprise PKI Today: Friend or Foe? – Hip Conf<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

StrongCertificateBindingEnforcement vs NTAuthEnforcement<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

StrongCertificateBindingEnforcement has been mandatory since 10th of September 2025 with no supported way of doing a optout to Compatibility Mode. Enforcing this took over 3 years – and where still not done – while the ‘StrongCertificateBindingEnforcement’ registry key is gone from “kdcsvc.dll” with the September updates. However there is a new key available to still optout but that key is only intended for special cases and should NOT be used, but you can find it by string dumping the “kdcsvc.dll” at a specific offset.<\/p>\n\n\n\n

.\\strings.exe -n 5 -o -f 671232 C:\\Windows\\system32\\kdcsvc.dll<\/code><\/pre>\n\n\n\n
Please be aware that the StrongCertificateBindingEnforcement only protect you from what it was designed to – the following:<\/strong>
<\/p>\n\n\n\n
    \n
  1. dNSHostName\/servicePrincipalName computer owner abuse, Remove DNS SPNs from servicePrincipalName, steal DNS hostname of a DC, put it in your computer accounts dNSHostName attr and request a cert, auth (PKINIT) with the cert and you\u2019re a DC.
    <\/li>\n\n\n\n
  2. Overwrite userPrincipalName of user to be of target to hijack user account since the missing domain part does not violate an existing UPN
    <\/li>\n\n\n\n
  3. Overwrite userPrincipalName of user to be @ of target to hijack machine account since machine accounts don\u2019t have a UPN
    <\/li>\n\n\n\n
  4. Delete userPrincipalName of user and overwrite sAMAccountName to be without a trailing $ to hijack a machine account<\/li>\n<\/ol>\n\n\n\n
    Note: 2-4 would require permissions to write to the \u2018userPrincipalName\u2019 attribute<\/p>\n\n\n\n
    It will NOT protect you from:<\/strong><\/p>\n\n\n\n
      \n
    1. CAs trusted in your forest where you don\u2019t have a good security hygiene for issuance of certificates\n