If you’ve read my previous Kerberos chronicles blogs you see a trend with the Microsoft patches, hardening updates and with this one the upcoming strong mapping / full enforcement mode of certificate-based authentication. See the following article for explanation: KB5014754—Certificate-based authentication changes on Windows domain controllers – Microsoft Support
This one is going to have a big impact if left unchecked and doesn’t get the proper attention it needs.
An example is being described here: Certificate-Based Authentication Changes and Always On VPN | Richard M. Hicks Consulting, Inc. (richardhicks.com)
Some of the upcoming troubles also arise with VDI solutions like VMware Horizon with the integration of True SSO: The Impact of Microsoft Security Update (KB5014754) on Customers Utilizing Certificate-Based Authentication, Including Smart Cards (91595) (vmware.com)
And the same goes for Citrix Virtual Apps and Desktops with the integration of FAS: FAS: Information about Microsoft KB KB5014754/CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923 (citrix.com)
The current timeframe has switched from May 9 to November 14, or later (later… oh boy…)
Advisement is to look at your certificate-based authentication setup and refresh those certificates, you will want to have the new SID Object Identifier (OID) 1.3.6.1.4.1.311.25.2 added before the enforcement mode is kicking in. Take a good look at those logs beforehand and after!
Some extra information:
Certificate Requirements and Enumeration | Microsoft Learn
Security identifiers | Microsoft Learn
Hope it helps!