Prisma Access Agent now provides granular certificate selection controls to address issues where the agent might select incorrect certificates for authentication, which leads to inaccurate User-ID™ mapping. This enhancement enables you to specify which certificate store to search and which Extended Key Usage (EKU) Object Identifiers (OIDs) to use when selecting certificates for authentication. By leveraging these granular controls, you can ensure that the agent uses the appropriate user certificate rather than defaulting to a machine certificate, which could otherwise map device identifiers instead of usernames to your policy rules.

You can configure the certificate lookup store to search exclusively in the user store, exclusively in the machine store, or to search the user store first and then fall back to the machine store if needed. This flexibility helps in scenarios where you want to enforce user-specific authentication or when you need to accommodate devices with certificates in different stores. Additionally, you can specify one or more EKU OIDs that must be present in certificates to ensure valid authentication, enabling you to filter certificates based on their intended purpose.

These settings are valuable in shared-device environments where you need to ensure proper user identification, or in organizations with strict security policies that require user-specific certificates for authentication. By enforcing the use of user certificates, you can maintain accurate user identity mapping throughout your security infrastructure, ensuring that your access controls and security policies work as intended.