Re: For Bernard - I think that I found the Answer was [Re: [Cross-posted]: Problem with Active Directory Mapping?]

From: Ohaya (
Date: 09/16/03

Date: Tue, 16 Sep 2003 05:35:17 -0400


Thanks for the followup.

Unfortunately, over this past weekend, I rebuilt my server completely,
this time without AD, and with a stand-alone CA, instead of Enterprise.
The reason for this is that this configuration will be closer to what
I've been told the "real" environment that we'll have will be.

Anyway, FYI, after the rebuild, I've done a lot of testing, primarily
using Certmgr, and things seem much more predictable behavior-wise.
With AD installed, it was sometimes hard to tell what was going on,
because it would cache things.

Without AD, I can't get the UPN mapping and the automatic mapping to
Windows user logins (I know I can do IIS one-to-one or many-to-one
mapping), but this is ok for now.

I appreciate both your patience and followup. It's been very helpful!

Bernard wrote:
> Ok. now in AD mapping you can choose either
> direct AD user mapping or UPN mapping.
> The reason I think that why the previous kb didn't
> mention on UPN mapping is because this mapping is
> new and only available in Win2003 and not w2k.
> and it also required to stored the related x.509 cert in the AD.
> my question was on this particular paragraph -
> "
> Using ldifde, I have confirmed that when a user is "Name Mapped", a copy
> of the client certificate appears to be stored in the AD store, and when
> the client certificate is deleted from the User->Name Mapping, that the
> client certificate is removed from the AD store.
> BUT, from my testing, whether or not ANY User's in AD have Name Mapped,
> when I make a connection from a PC (using IE) with a client certificate,
> the client certificate-to-Windows user mapping still seems to be
> working/occurring. I confirm this by two means:
> - I have an ASP page that displays the
> Request.ServerVariables("AUTH_USER"). When the mapping is working, the
> user name from the client certificate is displayed. When mapping is not
> working or disabled, the user name is blank/null
> - The second way I confirm this is that in IIS log files, when mapping
> is working, the user name is included in IIS log file entries. When
> mapping is not enabled, the user name is not included in the IIS log
> file entries.
> "
> when the user is not MAPped, you shouldn't have the above behaviour, right ?
> Now - I have some response from a tech guy -
> "I'd check to see if a comparable cert (or probably the same one) is in
> theusers store. I typically do that with mmc."
> check if the client cert and the one in the store is the same.
> once you remove it, you shouldn't be able to access via
> that cert and you will not see the 'Auth_User' - that's my understanding.
> --
> Regards,
> Bernard Cheah
> Please respond to newsgroups only ...

Relevant Pages