AWS workspaces high security documentation change
Summary
Made ObjectSid attribute mandatory and added Microsoft KB5014754 compliance note
Security assessment
Directly addresses upcoming Microsoft security requirement (KB5014754) for certificate-based authentication by making ObjectSid mandatory, preventing future authentication failures.
Diff
diff --git a/workspaces/latest/adminguide/certificate-based-authentication-prereq.md index 841bfce9d..616142baa 100644 --- a/workspaces/latest/adminguide/certificate-based-authentication-prereq.md +++ b/workspaces/latest/adminguide/certificate-based-authentication-prereq.md @@ -17 +17,5 @@ Don't enable **Smart card sign in** in your pool directory if you want to use ce - 3. (Optional) Configure the `ObjectSid` attribute in your SAML assertion. You can use this attribute to perform strong mapping with the Active Directory user. Certificate-based authentication fails if the `ObjectSid` attribute doesn't match the Active Directory security identifier (SID) for the user specified in the SAML_Subject `NameID`. For more information, see [Step 7: Create assertions for the SAML authentication response](./create-directory-pools.html#saml-directory-create-assertions). + 3. Configure the `ObjectSid` attribute in your SAML assertion. You can use this attribute to perform strong mapping with the Active Directory user. Certificate-based authentication fails if the `ObjectSid` attribute doesn't match the Active Directory security identifier (SID) for the user specified in the SAML_Subject `NameID`. For more information, see [Step 7: Create assertions for the SAML authentication response](./create-directory-pools.html#saml-directory-create-assertions). + +###### Note + +According to [Microsoft KB5014754](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16), the `ObjectSid` attribute will become mandatory for certificate-based authentication after September 10, 2025.