Release 1.4.728.502

CHANGELOG.adoc

@@ -1,21 +1,36 @@
 == Changelog for the TameMyCerts Policy Module
 
+=== 1.4.728.502 (Dec 29, 2022)
+
+This is a bug fix only release. TameMyCerts is now covered by link:TameMyCerts.IntegrationTests[automated integration tests^] featuring Pester and link:https://github.com/Sleepw4lker/PSCertificateEnrollment[PSCertificateEnrollment^] which allows to test parts of the code base not testable with unit tests.
+
+* Fix a bug causing directory mapping not finding all of mapped object's attributes when using global catalog (no SearchRoot configured in policy) to find an object.
+* Fix a bug causing to not display the correct error message in case no connection to Active Directory is possible during directory validation.
+* Fix a bug causing certificate modifications made by TameMyCerts are not applied when a template is configured to put requests in pending state.
+* Fix a bug causing to falsely log that a certificate request would get denied even if there is no reason to when policy is configured in audit mode.
+* Fix a bug causing the StartDate request attribute not getting applied if no policy is configured for the given certificate template.
+* Fix a bug causing request attributes to get processed case-sensitive which would allow cirvumventing security measures.
+* Fix a bug causing directory mapping to fail when the userPrincipalName attribute is not populated for an account (even if is was not used for mapping). Due to this, mapped accounts are now identified and logged with their distinguishedName attribute instead oder userPrincipalName.
+* Fix a bug causing an exception with directory mapping when the telexNumber directory attribute is populated for an object, as the property is not of string data type. Support for the telexNumber directory attribute has therefore been dropped.
+* Fix a bug causing requests using a valid process name to get denied when only DisallowedProcesses is configured.
+* Fix a bug causing requests using a valid cryptographic provider to get denied when only DisallowedCryptoProviders is configured.
+
 === 1.3.683.747 (Nov 15, 2022)
 
 * Implement support for (over)writing the subject relative distinguished name (RDN) of issued certificates with configurable attributes from a mapped Active Directory object.
 * Implement support for supplementing missing DNS names and IP addresses from commonName field in subject distringushed name into the subject alternative name of the issued certificate. This is to automatically make issued certificates compliant to link:https://www.rfc-editor.org/rfc/rfc2818[RFC 2818^].
 * Add option to issue certificates for mapped acounts that are disabled (e.g. to prestage certificates in combination with the "StartDate" attribute functionality).
-* Add option to remove Security Identifier certificate extension when provided in a certificate request instead of denying it entirely ("Remove" keyword for the SecurityIdentifierExtension directive).
+* Add option to remove Security Identifier (szOID_NTDS_CA_SECURITY_EXT) certificate extension when provided in a certificate request instead of denying it entirely ("Remove" keyword for the SecurityIdentifierExtension directive).
 * Key rules can now also be applied to requests for online certificate templates.
-* Fix string substitution for the "serialNumber", "unstructuredName" and "unstructuredAddress" relative distinguished names.
-* Fix a bug preventing the use of the "any" CIDR mask (0.0.0.0/0) in a subject rule.
+* Fix string substitution for the "serialNumber", "unstructuredName" and "unstructuredAddress" relative distinguished name types.
+* Fix a bug preventing the use of the "any" IPv4 CIDR mask (0.0.0.0/0) in a subject rule.
 * Fix a bug in installer script not updating policy directory.
 
 === 1.2.587.662 (Aug 11, 2022)
 
-* Implement support for looking up identities that are requested in offline templates against Active Directory (calles "directory mapping"). It may be specified if a certificate request shall get denied if a matching user or computer account does not exist, is disabled, if it is member of a forbidden group, or not member of any permitted group.
+* Implement support for looking up identities that are requested in offline templates against Active Directory (called "directory mapping"). It may be specified if a certificate request shall get denied if a matching user or computer account does not exist, is disabled, if it is member of a forbidden group, or not member of any permitted group.
 * Implement support for adding the new Security Identifier (szOID_NTDS_CA_SECURITY_EXT with object id 1.3.6.1.4.1.311.25.2) certificate extension that was introduced with link:https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16[KB5014754^] to certificates issued for offline certificate requests (requires directory mapping). This should enable users to prevent authentication to fail when strong certificate mapping will be enforced on May 9, 2023.
-* Implement protection against forgery of the szOID_NTDS_CA_SECURITY_EXT certificate extension by the enrollee. Policy can be configured to deny offline requests containing this extension (default is to deny).
+* Implement protection against forgery of the szOID_NTDS_CA_SECURITY_EXT certificate extension by the enrollee. Policy can be configured to deny or allow offline requests containing this extension (default is to deny).
 * Implement support for specifying a fixed expiration date on a per-template basis.
 * Implement proper logging for processing of the "StartDate" request attribute and align behavior with Windows Default policy module.
 * Fix a bug causing the module to return the validation result too early. This had no effect on security but not all violations against the ruleset would get logged, making troubleshooting somewhat more difficult.

TameMyCerts/AutoVersionIncrement.cs

@@ -9,5 +9,5 @@
 //      Build Number
 //      Revision
 
-[assembly: AssemblyVersion("1.3.683.747")]
-[assembly: AssemblyFileVersion("1.3.683.747")]
+[assembly: AssemblyVersion("1.4.728.502")]
+[assembly: AssemblyFileVersion("1.4.728.502")]