Help

Issues on Strong Certificate Mapping for SCEP-Deployed User Certificates Containing objectSid

KPZhang
New Contributor

3 weeks ago

I've reviewed existing community discussions regarding Strong Certificate Mapping, but my environment presents unique challenges. Below are references I've consulted:

/////////////////////////////////////////////////////////

My Goal

Enable iOS/iPadOS devices to obtain user certificates containing OID 1.3.6.1.4.1.311.25.2 (objectSid) via SCEP profiles deployed through Jamf Pro.

/////////////////////////////////////////////////////////

Environment

  1. Jamf Pro Integration

    • Connected to NDES server (linked to Microsoft CA)

    • Connected to Jamf Infrastructure Manager (linked to Domain Controller)

  2. SCEP Profile ConfigurationCertificate Authority Type: Manual
    URL: https:    //[MY_JAMF_SERVER]:8443/CA/SCEP/config
    Name:     JAMFADCS-MSCEP-RA
    Subject:     CN=$USERNAME,OU=Users,OU=OU,0.9.2342.19200300.100.1.25=MYDomain,0.9.2342.19200300.100.1.25=COM
    Subject Alternative Name (SAN):
    - Type:     RFC 822 Name
    - Value:     $EMAIL
    NT Principal Name:     $EMAIL
    Challenge Type:     Dynamic-Microsoft CA
    Key Size:     2048
    Checked[    Digital Signature]

Note: Certificates enroll successfully and pass AD authentication.

///////////////////////////////////////////////////////// 

Current Configuration & Issue

 

What I have done:

  • Enabled: Collect user and location information from Directory Service (Settings > Device Management > Inventory Collection)

  • Configured Extension Attribute: (Settings > Device Management > Extension attributes)

Display Name: objectSid
Data Type: String
Input Type: Directory Service Attribute Mapping
Directory Service Attribute: objectSid
Directory Service Attribute Variable: $EXTENSIONATTRIBUTE_1

What I Got

  • When adding tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_1 to the SAN field:

    • Certificates include tag:microsoft.com,2022-09-14:sid:S-1-21-… in SAN (as expected).

  • Problem: Certificates do not contain the required OID (1.3.6.1.4.1.311.25.2) with the objectSid value.

///////////////////////////////////////////////////////// 

Need Help

  1. How can I ensure the OID 1.3.6.1.4.1.311.25.2 is injected into certificates with the objectSid value?

  2. Are there additional configurations needed in: (Based on these posts:
    https://forums.intercede.com/wp-content/uploads/Flare/MyID-v1211-PIV/Content/Microsoft%20CA/After%20...
    https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/)

    • Microsoft CA certificate templates?

    • NDES/Jamf Pro SCEP profiles?

0 Kudos
Reply
4 REPLIES 4

mvu
Valued Contributor III

3 weeks ago

Going through the same thing with the Microsoft Strong Certificate Mapping. This has to be completed by September 10. So we are testing successfully.

What you got is important. You have the pieces to update your SCEP profile so that the iOS devices obtain certs.

Did you clone your existing SCEP profile and update its payload? For us, we had to do 2 things: 

1. Update the Subject Alternative Name Type (was RFC previously)

2. Update Subject Alternative Name Value (use your output from above, "tag:microsoft.com,2022-09-14:sid:$EXTENSIONATTRIBUTE_1"

When in doubt, Jamf support can help. There's a gentleman there who I feel always gets our SCEP tickets. He is very helpful. Can look up his name if you need.

 

Screenshot 2025-06-26 at 7.48.32 AM.png

Reply

mvu
Valued Contributor III
In response to mvu

3 weeks ago - last edited 3 weeks ago

One other thing, we also did this in our test Jamf and test NDES/SCEP. The values are different when you run the EA. But a good test if have your test environment set up. (Or want to set it up.)

0 Kudos
Reply

KPZhang
New Contributor
In response to mvu

2 weeks ago

 

Thanks for the reply, mvu!

Glad to hear it worked in your testing environment. It gives my hope.

 

I cloned one of my existing SCEP profiles and updated both the Subject Alternative Name Type and the Value

KPZhang_0-1751013335997.png

However, the user certificate issued to my iOS device still does not contain 1.3.6.1.4.1.311.25.2.

 

KPZhang_1-1751013623041.png

 

If this is working correctly in your testing environment, it’s possible that my user certificate template on the CA needs to be updated to support issuing certificates that include the 1.3.6.1.4.1.311.25.2 OID

I’ll contant Jamf Support to get help determining what changes I might need to make on the MS CA.

 

0 Kudos
Reply

mvu
Valued Contributor III
In response to KPZhang

2 weeks ago

I see. We got it working in both our prod and test.

Looks like you're 1 little config away from getting this. I think you are on to something with the CA/Jamf config somewhere.

Let us know how it goes ...

0 Kudos
Reply