Re: IIS Certificate Mapping password retreival
From: Craig Humphrey (craig.humphrey_at_nospam.chapmantripp.com)
Date: Thu, 23 Oct 2003 11:11:24 +1300
I think you've crossed the wires slightly.
The password retrieval is in IIS's Certificate Mapping, NOT in AD's.
AD's problem is that it bases certificate mapping on the "Subject" line of
the cert (and the issuer), which is not guaranteed to be unique.
While certificates that are issued automatically by AD will (I think) have
the username as part of the subject, these certs are not able to be used for
logging into say IIS, and I think this is because of two things.
1. The user never has the private key (both private and public keys are
stored in AD only) [but I could be wrong on this one].
2. To achieve cert mapping for IIS (from AD) you need to have the cert
installed into Active Directory Users and Computers | Right Click a user |
Name Mappings | X.509 Certificates. Make sure you have Advanced Features
turned on, otherwise Name Mappings doesn't show up. Only it never maps the
cert, it only maps the Subject line from the cert (and the issuer).
Make more sense?
"Ohaya" <email@example.com.NO_SPAM> wrote in message
> It's been awhile since I've worked with it, and perhaps I'm missing
> something, but if you assume that you are running MS Certificate Server as
> an Enterprise CA (vs. a standalone CA), when user requests a client
> certificate, they have to authenticate themselves to Windows. Their
> username then gets embedded into the Subject (actually something like the
> SubjectAlternate field) of the client certificate that gets issued.
> Then, when the AD mapping occurs, the Windows username gets extracted from
> the authenticated client cert, and is used to logon (via impersonation) as
> that user.
> The client certificate is signed, so client certificate authentication
> implies (within limits of cryptography) that the username in the cert has
> not been tampered with.
> I guess what I'm saying is that, given the above scenario, I don't see
> the user's password gets exposed to the admin??
> I think that you're correct that if you use AD mapping, that you need AD,
> perhaps more globally, you have to buy into a whole bunch of MS-specific
> mechanisms, but then, why are you even looking at certificate mapping in
> first placel?
> Presumably (and this may be a bad assumption), this is because you want to
> enforce some kind of ACL or role/privilege in your system, and it seems to
> me that the choices are use the infrastructure/mechanisms that MS provides
> (AD, AD mapping, etc.), "roll your own" (i.e., implement the
> roles/privileges in your application), possibly with the "help" of some
> 3rd-party products...
> Sorry for rambling on, but we've been going through somewhat similar
> ruminations ourselves :)....