Re: PKI SC Logon with no UPN.
From: Lavie BB (LavieBB_at_discussions.microsoft.com)
Date: 05/22/05
- Previous message: Lavie BB: "PKI SC Logon with no UPN."
- In reply to:(deleted message) Paul Adare: "Re: PKI SC Logon with no UPN."
- Next in thread: Brian Komar: "Re: PKI SC Logon with no UPN."
- Reply: Brian Komar: "Re: PKI SC Logon with no UPN."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 22 May 2005 05:57:08 -0700
Hey,
And 10x for the quick replay - but it isn't the right way...
what you have written I have already mentioned in the beginning of my note.
Is that a Certified final answer or one based on previous study ?
I made some research according to some MS articles, I found two ways
mentioned.
* the first option regards trusting out of forest CA and enabling login
according to the UPN - which is obvious and relatively easy to implement on a
closed environment.
* the second option which I found very little Technical data on is mapping
certificate to user (domain - *** not IIS mapping ***) - in this point the
Technical data I found mentioned it is possible to insert the certificate to
the AD (manually as far as I understood) in order to allow logon.
my interest is in the second implementation and Technical data related (such
as what is the applications that can be preformed, what does it require ?
e.g. : EKU - Smart Card Logon)
Any Help would be welcomed.
Lavie.
Security Consultant.
*********************************************
"Paul Adare" wrote:
> In article <127719B7-11C8-4843-A408-11B3A14FF1BA@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?TGF2aWUgQkI=?=
> <LavieBB@discussions.microsoft.com> says...
>
> > I want to enable a Smart Card Logon using a Certificate issued by 3rd party.
> > one way which is the easy way is to add that CA in to directory - but this
> > option would require the certificate to contain a UPN.
> >
> > My Q is :
> > how can i allow a logon based on 3rd Party Certificate of user
> > authentication (probably Client Authentication), what does it require - if
> > possiable ? and how can it be restricted.
>
> If you can't get whomever is providing you with the certificate to add
> the UPN to the SAN, then you're not going to be able to use those
> certificates for smart card logon. The UPN in the SAN is required.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> Scientists were excited this week at having isolated a brief sound which
> occurred immediately before the Big Bang.
> Apparently, the sound was, "uh oh".
>
- Previous message: Lavie BB: "PKI SC Logon with no UPN."
- In reply to:(deleted message) Paul Adare: "Re: PKI SC Logon with no UPN."
- Next in thread: Brian Komar: "Re: PKI SC Logon with no UPN."
- Reply: Brian Komar: "Re: PKI SC Logon with no UPN."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
