For Bernard - I think that I found the Answer was [Re: [Cross-posted]: Problem with Active Directory Mapping?]

From: Ohaya (ohaya_at_cox.net)
Date: 09/12/03 

Date: Fri, 12 Sep 2003 10:29:31 -0400

Hi,

I think that I just found the answer to my question.

I think that there are really two "ways" to do the mappings:

- IIS Mapping
- Windows-Native or Active Directory Mapping

With "Windows-Native or Active Directory" Mapping, there is a thing
called "User Principal Name Mapping" or "UPN Mapping". The description
that I found for UPN Mapping says that:

"User principal name mapping is a special case of one-to-one mapping. To
use user principal name mapping, you must use the Active Directory
directory service. With user principal name mapping, the user principal
name is used to find the user's account in Active Directory and log it
onto the network or host. The user principal name looks very much like
an e-mail name, and is unique within a Windows Server 2003, Standard
Edition; Windows Server 2003, Enterprise Edition; or Windows Server
2003, Datacenter Edition domain. Enterprise certification authorities
(CAs) place the user principal name of the certificate holder into each
certificate. Thus, for accessing a secure IIS server or logging on to
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise
Edition; or Windows Server 2003, Datacenter Edition with a smart card,
the mapping of user names to accounts is automatic on these
certificates."

I think that the above describes what is happening in my testing.

BTW, I found another MS document that indicates that, contrary to what
the above seems to imply, this Active Directory/UPN Mapping was also
available in Windows 2000.

I have one other question regarding this, as I just found out yesterday
that the client certificates that we will be using will not be
created/issued using MS Certificate Server, but I will post a new thread
on this. If anyone is interested, I will use the subject "Client
Certificate Principal Name Specifications?"

Thanks!!!

Ohaya wrote:
>
> Hi All,
>
> Sorry for the repost, but can anyone shed some light on this
> problem/situation?
>
> Thanks!
>
> Ohaya wrote:
> >
> > Hello,
> >
> > [I originally started this thread in microsoft.public.inetserver.iis,
> > and am including a good portion of the thread below FYI. I'm
> > cross-posting, as microsoft.public.inetserver.iis.security and
> > microsoft.public.windows.server.security were suggested by Bernard and
> > Tim, respectively. My Apologies.]
> >
> > Setup:
> >
> > - MS Windows 2003 Server with IIS, AD, and Certificate Server.
> > - IIS has a self-signed server cert from Certificate Server
> > - Creating/installing client certificates using Certificate server
> > - IIS configured for client certificate authentication
> > - Active Directory (or Windows Directory) Mapping enabled
> >
> > I hope that I haven't missed anything :)...
> >
> > Problem Description:
> >
> > According to:
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175
> >
> > among other places, part of the procedure to enable Active Directory
> > Certificate Mapping is to load the client certificates being mapped into
> > Active Directory (see "Map the Client Certificate to the Corresponding
> > Active Directory User" section on above page), by setting the "Name
> > Mapping" for each Active Directory user.
> >
> > Using ldifde, I have confirmed that when a user is "Name Mapped", a copy
> > of the client certificate appears to be stored in the AD store, and when
> > the client certificate is deleted from the User->Name Mapping, that the
> > client certificate is removed from the AD store.
> >
> > BUT, from my testing, whether or not ANY User's in AD have Name Mapped,
> > when I make a connection from a PC (using IE) with a client certificate,
> > the client certificate-to-Windows user mapping still seems to be
> > working/occurring. I confirm this by two means:
> >
> > - I have an ASP page that displays the
> > Request.ServerVariables("AUTH_USER"). When the mapping is working, the
> > user name from the client certificate is displayed. When mapping is not
> > working or disabled, the user name is blank/null
> >
> > - The second way I confirm this is that in IIS log files, when mapping
> > is working, the user name is included in IIS log file entries. When
> > mapping is not enabled, the user name is not included in the IIS log
> > file entries.
> >
> > Mind you, for my situation, the way that this (Active) or (Windows)
> > Directory Mapping is working (i.e., contrary to MS documentation,
> > without having to actually load the client certificates into Active
> > Directory) is actually a good thing operationally, but I would really
> > know WHY is is working this way (i.e., is this the way that it is
> > suppose to work?).
> > Aside from just plain curiousity, my main reasons for wanting to know is
> > that: (1) I need to understand how this mapping is functioning, and
> > also, (2) it would disastrous for me to design/build a system based on
> > my finding one thing (i.e., loading certificates is not needed for
> > Directory Mapping) and then find out that it changes later.
> >
> > Thank you all very much for your patience!!!
> >

Relevant Pages
Quantcast