PingCastle 3_41333×800 156 KB

This minor update strengthens AD risk assessments with a new check for spotting dMSA-related risks in Windows Server 2025, improved detection of certificate service misconfiguration (ESC1), and greater deployment and authentication reliability.

What’s Changed in Netwrix PingCastle 3.4

New Check: BADSUCCESSOR Delegation Detected

Flags OUs where risky permissions (e.g., CreateChild, WriteDACL) granted to non-privileged users could enable dMSA abuse and domain compromise in Windows Server 2025 environments.

1531×837 106 KB

Based on research from Akamai, for more details, see the community post below.

Improved ESC1 Risk Detection and Remediation

The ESC1 check — used to detect misconfigurations in Active Directory Certificate Services that could enable privilege escalation — has been enhanced to improve detection accuracy and streamline remediation

1527×472 62 KB

• Privileged Mode support
  The ESC1 check now supports Privileged Mode—an optional feature that enhances scan depth when administrative access is available. By retrieving Certificate Authority ACLs, PingCastle can more precisely detect risky configurations, such as low-privilege users with certificate enrollment rights, and reduce false positives.

Expand to see how to activate Privilege Mode

Via Interactive Mode

When running an interactive HealthCheck scan, customers will be > presented with a new option

image763×124 14.8 KB

Via Command Line

To run Privileged scans via the command line, use the --Privileged option.

Example:
Example: .\PingCastle.exe --healthcheck --Privileged --server domain.local

Privilege Details

The table below details all specific access needs of Privileged Mode and > what each rule is for.

RuleId	Access Needed	Notes
A-CertTempCustomSubject	Remote Registry on discovered Certificate Authorities	False positive mitigation for when low privileged groups have been removed from the CA Servers enrollment permissions.

• Enhanced Remediation Guidance
  Technical details and remediation steps have been updated to help security teams take swift, informed action when ESC1 risks are detected.
  
  

  1510×751 72.7 KB

Improved External Authentication Handling

Following the improvements introduced in version 3.3.0.11, external authentication has been further refined for increased reliability and predictability:

• Better handling of http://localhost during Entra ID authentication flows
• Additional stability improvements for OAuth-based authentication scenarios

Netwrix Branding

The Netrix PingCastle web interface and HTML reports now reflect Netwrix branding, delivering a consistent look and feel across all Netwrix solutions.

1234×565 21.4 KB

Windows Server 2025 Support

PingCastle now supports Windows Server 2025 environments.

Breaking Change: SQL Encrypt Now Defaults to True

To align with changes to ADO.NET and prevent common SQL connectivity issues, the MSI installer now includes two secure default options:

• TrustServerCertificate = True
• Encrypt = True

The breaking change is that Encrypt is now set to True by default. This may cause connection issues in environments where SQL Server encryption is not configured. To resolve this, you can either enable SQL encryption on the server or set TrustServerCertificate = True in the connection string.

Expand to view the process to manually update the connection string

Process

1. Login to your PingCastle Application Server.
2. Navigate to your PingCastle installation directory, typically C:\PingCastleEnterprise or C:\PingCastlePro.
3. Open the appsettings.production.json file in a text editor such as Notepad.
4. Add the following to the ConnectionStrings → DefaultConnection property:
   Encrypt=True;TrustServerCertificate=True;
5. Save the file.

Example:

"ConnectionStrings": {
  "DefaultConnection": "Server=.\\SQLExpress;Database=PingCastleEnterprise;Trusted_Connection=True;MultipleActiveResultSets=True;Encrypt=True;TrustServerCertificate=True;"
}

New Installations

Customers installing a new PingCastle deployment will have the option to configure Encrypt and TrustServerCertificate settings as needed during installation on the Connection String settings page.

The image shows a software setup screen for PingCastle Enterprise, prompting the user to enter a connection string for the database with options for encryption and certificate trust. (Captioned by AI)490×383 10.3 KB

Bug Fixes and Miscellaneous Updates

Plan your upgrade

Netwrix PingCastle 3.2 will reach its end of support life on January 10, 2026. To learn more, please read the Netwrix End-of-Support Policy.

Need help with this update?

There are many different ways to get help with our products!

What are your thoughts?

We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!

Two issues found with this version [standard]3.4.1.31:

1. PingCastleAutoUpdater.exe rolls back PingCastle.exe from 3.4.1.31 to old version 3.3.0.12
2. Running AD Health Check without local admin rights and the check does not complete.

Hey there,
The PingCastleAutoUpdater uses GitHub releases. We will be updating that later today/early tomorrow and this will work for you.

What is the check or checks that are not working? Local admin rights have been needed for some dns and network level checks but I don’t believe is needed overall.

Cheers,
Joe

Thank you for the new version! It really helps us on our daily work.

Unfortunately we found another issue with PingCastle Enterprise 3.4.1.31, as we get false positives on A-SMB2SignatureNotEnabled.

Regarding to the latest PingCastle Scan (A-SMB2SignatureNotEnabled), all of our DCs have no SMB Signing.
Doublechecked with netexec shows SMB Signing is enabled on all DCs.

We are investigating this. It looks like the fixing of the SMB Scanner for SMB 3.1.1 has may have broken the logic this risk uses

Hello! I have some problems with AD health check. I got this error message every time:

[Red][3:32:16 PM] An exception occured when doing the task: Perform analysis for xxxxx
[Red]Note: you can run the program with the switch --log to get more detail
An exception occured when doing the task: Perform analysis for xxxxxx
[Red]Exception: Some or all identity references could not be translated.
Type:System.Security.Principal.IdentityNotMappedException

I don’t have this problem with the previous version (I have just tried and it works just fine). I usually run it on a domain-joined jumphost in an elevated PowerShell session using a domain admin account. What am I missing here?

Hi there, we’re aware of the issue and have a fix internally. We will be releasing an update early next week. The issue seems to usually be on a certificate template where there is an orphaned Sid as the owner. If you clear this up it may work. Once the fix is ready I’ll let you know by replying in here.

Cheers,
Joe

Thank you for the info Joe! That was indeed the issue. I also fixed the unknown owner of one of the certificate templates.

It’s worth noting that I also receive false positives on A-SMB2SignatureNotEnabled. (Similar to Corvin Schmidcorsch)

Got the new PingCastle 3.4.1.35 release and it looks like the SMB issue is still there. Looking forward for the next release.

Yep. That was just a beta release for the impersonation fixes. We will release an update today/tomorrow properly.

Add one more to the list of false positives on SMB signing.

We have all four digitally sign options enabled.

Client/server
if agrees/always

set on our DCs as well as endpoints and pingcastle is flagging smb signing not required.

Also one other point to note is that the description on the recomended fix isnt great. SMB2 Doesnt honor the if client agrees settings. So for SMB2+ the only setting that works is Always.

Hi, I believe the fix will be the same. We should be releasing the fix tomorrow. Apologies for the delay.