When Your Enterprise PKI Is the Enemy: Threats to AD and Entra ID Security

Do your Active Directory (AD) forests include Enterprise PKIs? Do you know how many of your trusted CAs can impersonate and become anything within your forest or Entra ID tenant? Are your CA keys created according to planned policy and securely stored inside a hardware security module (HSM)—or were they created simply because “something” needed certificates?

In May 2022, Microsoft announced certificate-based authentication changes to AD Kerberos Key Distribution (KDC). Also known as certificate strong mapping, this feature changed the game for certificate-based authentication requirements but also created new security concerns. At about the same time, Microsoft announced certificate-based authentication (CBA) in Azure AD—now Entra ID—in which I was able to find two security vulnerabilities acknowledged by Microsoft Security Response Center (MSRC).

In this session, you’ll learn several pitfalls and known issues that exist in almost all AD forest deployments with one or more Enterprise PKIs. This session contains live demos of full-forest compromise attack vectors that take advantage of misconfigured Enterprise PKIs within the AD forest.

Slide Deck: https://www.semperis.com/wp-content/uploads/resources-pdfs/hipconf-2024/when-your-enterprise-pkIise.pdf