You’re probably following a guide on how to set up Entra CBA and came across Required Affinity Binding on the Entra ID portal, and are wondering whether you need it. Worry not – when Microsoft confuses you, Keytos has you covered!
Required Affinity Binding in Entra CBA refers to how Entra ID should authenticate your users when looking at a certificate. The “Low” option looks at text-based fields of the certificate such as RFC822Name, or Principal Name, while “High” requires you to set a strong binding such as updating your user certificateUserIds field with the serial number of the certificate, ensuring that your user is issuing the certificate that you issued for them.
So, based on the name and the definition, you are probably thinking, “I should probably enable High Affinity Binding”; however, depending on your CA setup, it might be overkill and just more work for your team (as well as it limits you to only having one certificate per user at a time, not allowing you to have spare smartcards).
If you are familiar with how certificate authentication works (TL;DR you validate the certificate was issued by a trusted authority and then check the text values of the certificate to validate the certificate, since you trust that the certificate authority would properly validate the user before issuing the certificate), you are probably wondering what is the point of creating this High Affinity Binding where you have to manually add the certificate serial number to the user breaking the automatic rotation that certificate based authentication brings. Well, the origins of this comes from CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923 where you could trick ADCS to issue a certificate with certain text values that would allow you to elevate from a non-privileged user to domain administrator. To fix this, instead of fixing the problem at the source and create a modern PKI with advanced registration authority features, they created KB5014754 which was a patch for AD that added strong mapping requirements to certificates by requiring the account SID; meaning that if your certificate does not contain the account SID in a special field, it will no longer be accepted.
You should enable High Affinity Binding when you do not have full control of which certificates your CA is issuing; for example, you use the same CA to issue smart card certificates and SSL template certificates, allowing users to create certificates where they specify the subject alternate name and can add a user principal subject alternate name and impersonate someone. (For EZCMS with EZCA customers, you are protected due to EZCA’s advanced certificate management tooling that only allows Smartcard Certificate Authorities to issue certificates through your trusted EZCMS instance.)
Now onto the question you were asking yourself since your started reading this blog: “Is Low Affinity in Entra CBA Secure?” The answer is: probably yes. If you are only using your certificate authority to issue certificates and have a modern credential management system to issue certificates to your users, you should be fine with Low Affinity Binding, enabling you to take advantage of the features offered by X.509 Certificates such as automatic rotation, and multiple certificates per users. If you have any questions, talk to our PKI experts and ensure that your infrastructure is secure.
