Configuring Cloud Extender for Microsoft’s strong certificate-mapping enforcement

Information on how to configure certificate settings in Cloud Extender® to meet Microsoft’s strong certificate-mapping enforcement for Microsoft Active Directory. These settings are required to validate certificates during certificate-based authentication on the Windows domain controller.

Before you begin

Make sure that the Cloud Extender is updated to a 3.001.300 or later version.

About this task

Important:
  • Starting September 2025, Microsoft enforces strong certificate mapping on Windows domain controllers. All certificates that are used for authentication must be linked to a specific user or device in Microsoft Active Directory.
  • Administrators must assign a custom user attribute value for MaaS360® users. For LDAP users, if attribute mappings are configured in Cloud Extender, MaaS360 automatically retrieves and populates the custom attribute value from the LDAP server during synchronization.
  • Make sure to configure LDAP module on the Configuration tool to fetch the security identifier (objectSid). For more information, see User Visibility service configuration.

All certificates that are used with certificate-based authentication (manual and offline certificates) must include the user’s objectSid in the URI field under Subject Alternative Name (SAN).

Including this identifier helps to be compliant with Microsoft’s strong certificate-mapping enforcement and continues to support secure integration with Microsoft Active Directory.

Subject Alternative Name (SAN) tag-based URI should be in the following format to adhere to strong mapping requirements.

URL=tag:microsoft.com,2022-09-14:sid:<value> where value is the objectSid of the user in Active Directory.

Procedure

  1. Follow the steps to add the custom user attributes for objectSid mapping in the IBM® MaaS360 Portal.
    1. Log in to the IBM MaaS360 Portal, and go to Users > User Attributes > Add Custom Attribute.
    2. Enter the attribute name, variable name, and then select an attribute type such as text.

    The new custom user attribute is added IBM MaaS360 Portal.

  2. Follow these steps to configure the User Visibility service for the Cloud Extender.
    1. Open the Cloud Extender Configuration Tool and select User Visibility.
    2. Open the configured LDAP module, and click Next.
    3. Click Advanced on the last screen of the module configuration to configure advanced settings.
    4. On the Custom User Attributes Mappings, select objectSid from the MaaS360 User Attribute list to configure custom user attribute that is created in the IBM MaaS360 Portal.
    5. Click OK.
      To validate the custom user attribute is correctly mapped, click Test Reachability.
    6. Click Save to complete the setup and return to the Cloud Extender Summary page.
    The next synchronization populates the custom user attribute with each user's corresponding security identifier (SID) value in the portal.
    Tip: Make sure that synchronization is successfully completed to reflect the updated attribute values across all user records.
  3. On the Cloud Extender Configuration Tool, select the Certificate Integration module.
    1. Configuring Certificate Templates and then click Next.

      If the certificate template is not already configured, follow the steps in the provided in Cloud Extender Certificate Integration configuration section to configure it based on your environment. This feature currently supports the template types such as Microsoft CA, Symantec CA, and Verizon MCS.

    2. Configure Subject Alternate Name
      Use this field to uniquely identify the user for authentication. This field is one of the most common fields that is used for the subject alternative name.
      Note: By default, UPN and Email are displayed with preconfigured values that were used before the upgrade.

      You can add attributes and configure the values for corresponding attributes.

      To configure a URI using a custom user attribute that is created in IBM MaaS360 Portal, you need to follow a specific format.

      tag:microsoft.com,2022-09-14:sid:%<custom user attribute>% and replace <user attribute> in the URI format with the name of the attribute that you created.

      In this SAN URI, microsoft.com and 2022-09-14 are hardcoded values that cannot be modified. The only value that needs to be provided when the SAN URI is the user or device SID that replaces the <value> field.

      Example

      If your custom user attribute is named Sample, the URI becomes, tag:microsoft.com,2022-09-14:sid:%Sample%. The %custom user attribute% syntax is a placeholder that MaaS360 replaces with the actual value of the attribute.

    3. Click Save and Test to test your configuration.
      If your test is successful, a prompt is displayed stating that the Certificate is generated and validated successfully, with an option to download the certificate for a mobile device.

Results

A security identifier is created for each enrolled user or device to enable stronger validation during certificate-based authentication.