Re: PKI SC Logon with no UPN.
From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 05/22/05
- Previous message: Lavie BB: "Re: PKI SC Logon with no UPN."
- In reply to: Lavie BB: "Re: PKI SC Logon with no UPN."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 22 May 2005 11:50:58 -0500
In article <03FAF166-0927-4A1E-9E34-8FA02AEC8C00@microsoft.com>,
LavieBB@discussions.microsoft.com says...
> Hey,
>
> And 10x for the quick replay - but it isn't the right way...
> what you have written I have already mentioned in the beginning of my note.
> Is that a Certified final answer or one based on previous study ?
>
> I made some research according to some MS articles, I found two ways
> mentioned.
> * the first option regards trusting out of forest CA and enabling login
> according to the UPN - which is obvious and relatively easy to implement on a
> closed environment.
> * the second option which I found very little Technical data on is mapping
> certificate to user (domain - *** not IIS mapping ***) - in this point the
> Technical data I found mentioned it is possible to insert the certificate to
> the AD (manually as far as I understood) in order to allow logon.
>
> my interest is in the second implementation and Technical data related (such
> as what is the applications that can be preformed, what does it require ?
> e.g. : EKU - Smart Card Logon)
>
<snip>
As Paul answered previously, you must have the UPN in the certificate
for smart card logon. In addition, you must ensure that the CA that
issued the certificate is added to the NTAuth store in AD.
No UPN = No smart card logon
For details on what is required to issue smart card certs from a 3rd
party CA, see the following KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245
>From the article:
The smart card certificate has specific format requirements:=3F The CRL
Distribution Point (CDP) location (where CRL is the Certification
Revocation List) must be populated, online, and available. For example:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://server1.name.com/CertEnroll/caname.crl
=3F Key Usage = Digital Signature
=3F Basic Constraints [Subject Type=End Entity, Path Length
Constraint=None] (Optional)
=3F Enhanced Key Usage ==3F Client Authentication (1.3.6.1.5.5.7.3.2)
(The client authentication OID) is only required if a certificate is
used for SSL authentication.)
=3F Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
=3F Subject Alternative Name = Other Name: Principal Name= (UPN). For
example:
UPN = user1@name.com
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
=3F Subject = Distinguished name of user. This field is a mandatory
extension, but the population of this field is optional.
Note that the SAN must include the UPN
Brian
-- == Brian Komar MVP - Windows - Security http://www.identit.ca/blogs/brian
- Previous message: Lavie BB: "Re: PKI SC Logon with no UPN."
- In reply to: Lavie BB: "Re: PKI SC Logon with no UPN."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
