PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: System must be configured for name-based strong mappings for certificates

5fc6bb4d-4b22-4ea7-816b-4d6ff42bccb1

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Administrative Template
|_ System
|_ KDC
|_ Allow name-based strong mappings for certificates to "Enabled".

More info: aka.ms/StrongCertMapKB

https://techcommunity.microsoft.com/blog/publicsectorblog/enable-strong-name-based-mapping-in-government-scenarios/4240402

Sample configuration:
;;

STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-278173
2022: https://system32.eventsentry.com/stig/viewer/V-271427
2019: https://system32.eventsentry.com/stig/viewer/V-271429
2016: https://system32.eventsentry.com/stig/viewer/V-271430

NIST 800-53 : IA-5, IA-8, SC-17, CM-6
NIST 800-171: 3.5.2, 3.4.6
CMMC v2.0 L2: IA.L2-3.5.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 8.2.1
HIPAA SR : ยง164.312(d)
HIPAA HICP : Practice 3 (Identity and Access Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.