Re: [ActiveDir] Dont understand AD certificate mapping very well

Sun, 03 Apr 2005 08:13:28 -0700

correct.
 
Your first case uses implicit mapping - it requires the UPN of the user match the AltSubjectName in the cert.
Your 2nd and 3rd case are correct as well.
 
Here are some more links for you:
 
Step-by-Step Guide to Mapping Certificates to User Accounts
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp
 
 
 
 
 
steve
 
----- Original Message -----
Sent: Thursday, March 31, 2005 10:36 PM
Subject: [ActiveDir] Dont understand AD certificate mapping very well

hello list,

I want to authenticate clients that access IIS applications by using AD certificate mapping. I have read some articles about this issue but I still have some doubts.
These are my conclusions... please, correct me if i am wrong:

There are three ways to mapping a certificate to a user account: UPN mapping, One-to-One mapping, Many-to-one mapping.

In first case, the UPN is extracted from the certificate and is used in order to search the user account in the AD. If the account exists, the client can access the web server....but there is no need to have a copy of the client certificate on server. The only requisite is that the user account must exist in the AD. Also, the altSecurityIdentities user account attribute is no needed at all.

In second and third cases, the administrator specifies explicity the mapp�ng and the altSecurityIdentities attribute is used in order to authenticate the client.

Am I right?

Thanks in advance!


zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz

throw new Exception("SoftLera!!!");

zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz

250MB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abr� tu cuenta aqu�

Reply via email to