§ Archive
Month

July 2026

AC

Strong Certificate Mapping Only Helps If the CA Owns the SID. ESC16 Takes It Away

Microsoft’s strong certificate mapping enforcement finally landed, and where it’s genuinely in force it does close the naive implicit-mapping hole that made ADCS escalation trivial — a certificate with only a weak name is denied. ESC16 strips the CA-issued SID so the mapping decision falls to whatever’s left: on a compatibility-mode DC that’s weak SAN mapping, and even on a fully-enforced DC it’s an attacker-supplied SID-in-SAN URI the KDC treats as strong. The audit events you’d hunt it with are off by default.

·