Mapped Certificates on Accounts



Microsoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios.
However, having a certificate set on a privileged account can be dangerous in case the associated certificate is not protected as well as this sensitive account. It can also indicate a persistence mechanism that an attacker may have previously set.


Whenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it.
Note: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.

See Also

Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication

Map a certificate to a user account

Mapping certificates to user accounts

Indicator Details

Name: Mapped Certificates on Accounts


Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0003

Techniques: T1098

Attacker Known Tools

Gentil Kiwi: Kekeo