How can services like DC map a smart card certificate to an AD account ?

In a big network with multiple domains and a complex forest topology , the most unique identifier for a user is the UPN . So , Microsoft requires smart card logon certificates to include the UPN in the SAN extension of the certificate .

Starting from windows Vista , smart card logon certificates does not need to include the UPN on its extension and this make it more challenging to map a certificate to a user account .

Well , SSL/TLS  services like a portal , can map certificates that do not have SAN , and the mapping is done by using (Issuer Name) and ( Subject Name) .This type of mapping is supported by KDC among other methods .

So how KDC maps certificates to accounts ? (the first method that locates an account successfully wins, and the search stops)

  • If UPN is specified in the SAN extension > then the account is located since UPN is unique per forest.
  • If the username is provided along with the certificate , the username is used for lockup and this is the fastest way as it is string search. Username can be provided by enabling a GPO settings that allows Hints to be displayed in the logon screen that allows the user to enter his username and or his domain .
  • When no domain information is available via the Hints , then the current domain is search by default .If any other domains is to be used for lookup , then a domain hint should be provided .
  • Then tests are performed by (Subject and Issuer Field in the certificate)
  • Then subjectDN ,Serial Number, Subject Key Identifier and Certificate Hash are used in order .Then the SAN attribute is used as last method .

clip_image001

It is important to note that after a mapping is performed  between a certificate and a user name in most mapping methods, the NT_AUTH policy tests should be completed before Kerberos logon is allowed ( The test criteria is found here http://msdn.microsoft.com/en-us/library/aa377163.aspx ).One of the important checks is that the issuer of the user certificate should be a CA registered in the NTAuth Store in the AD configuration Partition under services , public key services.

Note : PKINIT : stands for  Public Key Cryptography for Initial Authentication in Kerberos , and it means using smart cards for logon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s