<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>adcs on root@j0su</title><link>https://josupalacios99.github.io/blog/en/tags/adcs/</link><description>Recent content in adcs on root@j0su</description><generator>Hugo</generator><language>en-US</language><copyright>2026 root@j0su · think like the adversary</copyright><lastBuildDate>Tue, 30 Jun 2026 10:00:00 +0200</lastBuildDate><atom:link href="https://josupalacios99.github.io/blog/en/tags/adcs/index.xml" rel="self" type="application/rss+xml"/><item><title>ntlmrelayx and ADCS: when the certificate arrives but doesn't work</title><link>https://josupalacios99.github.io/blog/en/posts/adcs-ntlmrelayx-sid-extension/</link><pubDate>Tue, 30 Jun 2026 10:00:00 +0200</pubDate><guid>https://josupalacios99.github.io/blog/en/posts/adcs-ntlmrelayx-sid-extension/</guid><description>ADCS relay with ntlmrelayx generates certificates that certipy v5 rejects with &amp;lsquo;Object SID mismatch&amp;rsquo;. The root cause is KB5014754: modern DCs require the certificate to contain the user&amp;rsquo;s SID in a Microsoft-proprietary extension. ntlmrelayx doesn&amp;rsquo;t include it. Here&amp;rsquo;s why and how to fix it.</description></item></channel></rss>