IBM MaaS360 - Configuring Cloud Extender SAN URI for Certificate Strong Mapping
This document outlines the necessary steps for configuring certificate settings in Cloud Extender to comply with Microsoft's Strong certificate-mapping enforcement for Active Directory. These settings are crucial for the validation of certificates during the certificate-based authentication process on Windows domain controllers.
The configuration process involves ensuring that specific parameters align with Microsoft’s security standards. Key actions include designating trusted root certification authorities, selecting appropriate certificate templates tailored to organizational requirements.
Implementing these measures will not only enhance the security of authentication processes but also ensure alignment with Microsoft’s enforcement protocols, thereby bolstering the overall integrity of the Active Directory environment.
About this task
- Beginning in September 2025, Microsoft will implement strict certificate mapping on Windows domain controllers. All certificates utilized for authentication must be associated with a specific user or device in Microsoft Active Directory.
- Administrators must assign a custom user attribute value for MaaS360 users. For LDAP users, if attribute mappings are configured in Cloud Extender, MaaS360 will automatically retrieve and populate the custom attribute value from the LDAP server during synchronization.
- Ensure that the LDAP module is configured in the Configuration tool to retrieve the security identifier (objectSid).
All certificates used for certificate-based authentication, including manual and offline certificates, must contain the user’s objectSid in the URI field of the Subject Alternative Name (SAN).
Including this identifier ensures compliance with Microsoft's strict certificate-mapping requirements and supports secure integration with Microsoft Active Directory.
Subject Alternative Name (SAN) tag-based URI should be in the following format to adhere to strong mapping requirements.
URL=tag:microsoft.com,2022-09-14:sid:<value> where value is the objectSid of the user in Active Directory.
In this SAN URI, “microsoft.com” and “2022-09-14” are hard-coded values which should not be modified. The only value that needs to be provided when using the SAN URI is the user or device SID which will replace the <value> field.
Before You Begin
Ensure that the Cloud Extender modules are updated to version 3.001.300 or later.
Dependency modules - MaaS360 Configuration Utility, User Visibility LDAP, Certificate Integration modules
Procedure
1. Follow the steps to add the custom user attributes for objectSid mapping in the IBM MaaS360 Portal.
a. Log in to the IBM MaaS360 Portal and go to Users > User Attributes > Add Custom Attribute.
b. Enter the attribute name, variable name, and then select an attribute type such as text.
The new custom user attribute is added IBM MaaS360 Portal.
2. Follow these steps to configure the User Visibility service for the Cloud Extender.
a. Open the Cloud Extender Configuration Tool and select User Visibility.
b. Open the configured LDAP User Visibility module and click Next.
c. Click Advanced on the last screen of the module configuration to configure advanced settings.
d. On the Custom User Attributes Mappings, select objectSid from the MaaS360 User Attribute list to configure custom user attribute that is created in the IBM MaaS360 Portal.
e. Click OK.
To validate the custom user attribute is correctly mapped, click Test Reachability.
f. Click Save to complete the setup and return to the Cloud Extender Summary page.
The next synchronization populates the custom user attribute with each user's corresponding security identifier (SID) value in the portal.
3. On the Cloud Extender Configuration Tool, select the Certificate Integration module.
- Configuring Certificate Templates and then click Next.
- This feature currently supports the template types such as Microsoft CA, Symantec CA, and Verizon MCS.Configure Subject Alternate Name
- Configure Subject Alternate Name
- Use this field to identify the user for authentication uniquely. This field is one of the most common fields that is used for the subject alternative name.
Note: By default, UPN and Email are displayed with preconfigured values that were used before the upgrade.
To configure a URI using a custom user attribute that is created in the IBM MaaS360 Portal, you need to follow a specific format.
URL=tag:microsoft.com,2022-09-14:sid:%<custom user attribute>% and replace <user attribute> in the URI format with the name of the attribute that you created.
In this SAN URI, microsoft.com and 2022-09-14 are hardcoded values that cannot be modified. The only value that needs to be provided when the SAN URI is the user or device SID that replaces the <value> field.
a. Click Save and Test to test your configuration.
If your test is successful, a prompt is displayed stating that the Certificate is generated and validated successfully, with an option to download the certificate for a mobile device.
Below is an example of a certificate that has been issued with this SAN URI. Under the Subject Alternative Name field, the tag is listed in the Value section populated with a user’s SID.
Wrapping Up
A security identifier is created for each enrolled user or device to enable stronger validation during certificate-based authentication. I hope this article helped you to configure Cloud Extender for Microsoft’s strong certificate-mapping enforcement.
If you have any questions, just drop a comment below.
#blog-home-3
#Highlights
#Highlights-home