Re: Active Directory Mapping with RFC822 Name vs. Principal Name?
From: Ohaya (ohaya_at_NO_SPAM.cox.net)
Date: 11/01/03
- Next message: Aaron Heusser: "Changing the security context within an install DLL"
- Previous message: Krish Shenoy[MSFT]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- In reply to: Krish Shenoy[MSFT]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Next in thread: John Banes [MS]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Reply: John Banes [MS]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 31 Oct 2003 19:56:51 -0500
Krish,
Thanks for the VERY quick reply.
Answers to your questions:
1) Yes, server is a Windows 2003 Server, with Active Directory. Server
is the (only) DC.
2) The Subject in the client certs look like (viewed using MS Cert
applet->Details tab), for example:
CN = User1 Name
OU = Testing
OU = Test
O = Acme Corp.
C = US
3) The Subject Alternative Name (again in cert applet->Details), for
example:
RFC Name=User1@foo.com
I had a (slim) hope that IIS and Active Directory/UPN mapping would be
smart enough to parse the email address out of the Subject Alternative
Name, because (obviously) the CA won't make special certs just for us
:(.
Is there any way to do this? Maybe some kind of registry setting that
would get IIS to look for RFC822 Name instead of otherName:Principal
Name?
BTW, what is "S4U"?
Thanks!!
"Krish Shenoy[MSFT]" wrote:
>
> Is this a Windows Server 2003 domain. If so does the certificate subject
> name have the correct Distinguished name. If so then IIS will try to do S4U
> using the subject name in the cert if the UPN cannot be mapped
> "Ohaya" <ohaya@NO_SPAM.cox.net> wrote in message
> news:3FA2FB55.35484F5C@NO_SPAM.cox.net...
> > [Apologies for cross-posting, as I think this question may straddle both
> > NGs.]
> >
> >
> > Hi,
> >
> > The CA that we are using to produce client certs includes the user's UPN
> > in the SubjectAltName field, but the certs have:
> >
> > SubjectAltName=RFC822 Name=username@domainname
> >
> > e.g.,
> >
> > SubjectAltName=RFC822 Name=foo@whatever.com
> >
> >
> > I understand that for AD mapping, it expects:
> >
> > SubjectAltName=otherName:Principal Name=username@domainname
> >
> >
> > Is there any way to get Active Directory Mapping to work with these
> > certs with "RFC822 Name="?
> >
> > I'm trying to see if we can utilize these currently-issued certs for
> > client authentication with Active Directory mapping.
> >
> > Thanks in advance!!!
- Next message: Aaron Heusser: "Changing the security context within an install DLL"
- Previous message: Krish Shenoy[MSFT]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- In reply to: Krish Shenoy[MSFT]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Next in thread: John Banes [MS]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Reply: John Banes [MS]: "Re: Active Directory Mapping with RFC822 Name vs. Principal Name?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
