Windows Server 2019 must be configured for named-based strong mappings for certificates.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Featured Partners

Web page built by Cyber Protection Services

Check out our new AI-powered GRC tool here .
Compliance Dictionary

Standardizes and unifies compliance terms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-271429	WN19-DC-000401	SV-271429r1059566_rule		Medium

Description

Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name-based mappings allows certain weak certificate mappings, such as Issuer/Subject AltSecID and User Principal Names (UPN) mappings, to be treated as strong mappings.

STIG	Date
Microsoft Windows Server 2019 Security Technical Implementation Guide	2025-01-15

Details

Check Text (C-75478r1059564_chk)

This applies to domain controllers. This is not applicable for member servers.

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates.

If "Allow name-based strong mappings for certificates" is not "Enabled", this is a finding.

Fix Text (F-75385r1059565_fix)

Configure the policy value for Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates to "Enabled".

STIG VIEWER