Certificate-Authentication Support in Full-Enforcement Domains

This guide describes extra configurations for allowing certificate authentication in Full Enforcement mode. For more information about Full Enforcement mode in Windows domains, see Microsoft's documentation KB5014754: Certificate-based authentication changes on Windows domain controllers.

For certificate authentication to work in Full Enforcement mode, PrivX must be able to obtain the connection target's SID. Depending on the target-account type, you may need to manually enter the SID in PrivX, or allow PrivX to scan that from target users' directories.

Enabling the Security ID X.509 Certificate Extension

To enable PrivX to add the Security ID extension to the RDP X.509 authentication certificates, enable the setting Add Security ID extension to RDP X.509 certificates under Settings→Authorizer→CA Options. Once you Save, the change is applied immediately without needing restart.

Accounts in Target Domains

Accounts in Target Domains must be modified as follows:

  • If the managed accounts are not scanned: SID must be manually added to managed accounts. To do this, edit the managed account in PrivX and add the SID to the Security ID.
  • If using Entra: Entra must be synced with the on-premise AD. This is because SIDs comes from the on-site AD.
  • Disable RDP Certificate Authentication flag must be disabled. The flag is disabled by default.

Accounts Outside Target Domains

Explicit Accounts Explicit accounts cannot be associated with SIDs. If such targets need to support certificate authentication, you must convert these to managed accounts in target domains.

  1. If needed, create a target domain.
  2. Add managed accounts corresponding to Explicit accounts. Remember to add the account's SID to the managed account's Security ID.
  3. To allow access to managed accounts, add the managed accounts as Accounts under appropriate Hosts. Note that you must also specify the managed account's Target Domain.

For more information about target domains and their managed accounts, see .

Directory Accounts

For Directory accounts without Username Attribute:

  • If the directory meant for the account is AD or GraphAPI, then no changes are needed.
  • If the directory meant for the account is Local User, edit the local user(s) and enter their SIDs into the windows_sid custom Attributes.
  • Other directories (SCIM/OIDC) are not yet supported.

For Directory accounts with Username Attribute, target accounts must be associated with SIDs via target domains:

  1. If needed, create a target domain.
  2. Add managed accounts corresponding to Windows-domain accounts used for login on target hosts. Remember to add the account's SID to the managed account's Security ID.
  3. Back in the host settings under Accounts, find the Directory account, set its Target Domain to the one created/used earlier.

Was this page helpful?