Archived from groups: microsoft.public.win2000.security (
More info?)
"Brian Komar" wrote:
> In article
> <03FAF166-0927-4A1E-9E34-8FA02AEC8C00@microsoft.com>,
> LavieBB@discussions.microsoft.com says...
> > Hey,
> >
> > And 10x for the quick replay - but it isn't the right way...
> > what you have written I have already mentioned in the
> beginning of my note.
> > Is that a Certified final answer or one based on previous
> study ?
> >
> > I made some research according to some MS articles, I found
> two ways
> > mentioned.
> > * the first option regards trusting out of forest CA and
> enabling login
> > according to the UPN - which is obvious and relatively easy
> to implement on a
> > closed environment.
> > * the second option which I found very little Technical data
> on is mapping
> > certificate to user (domain - *** not IIS mapping ***) - in
> this point the
> > Technical data I found mentioned it is possible to insert
> the certificate to
> > the AD (manually as far as I understood) in order to allow
> logon.
> >
> > my interest is in the second implementation and Technical
> data related (such
> > as what is the applications that can be preformed, what does
> it require ?
> > e.g. : EKU - Smart Card Logon)
> >
> <snip>
>
> As Paul answered previously, you must have the UPN in the
> certificate
> for smart card logon. In addition, you must ensure that the CA
> that
> issued the certificate is added to the NTAuth store in AD.
>
> No UPN = No smart card logon
>
> For details on what is required to issue smart card certs from
> a 3rd
> party CA, see the following KB article:
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245
>
> From the article:
>
> The smart card certificate has specific format
> requirements:=3F The CRL
> Distribution Point (CDP) location (where CRL is the
> Certification
> Revocation List) must be populated, online, and available. For
> example:
> [1]CRL Distribution Point
> Distribution Point Name:
> Full Name:
> URL=http://server1.name.com/CertEnroll/caname.crl
> =3F Key Usage = Digital Signature
> =3F Basic Constraints [Subject Type=End Entity, Path Length
> Constraint=None] (Optional)
> =3F Enhanced Key Usage ==3F Client Authentication
> (1.3.6.1.5.5.7.3.2)
> (The client authentication OID) is only required if a
> certificate is
> used for SSL authentication.)
> =3F Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>
> =3F Subject Alternative Name = Other Name: Principal Name=
> (UPN). For
> example:
> UPN = user1@name.com
> The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
> The UPN OtherName value: Must be ASN1-encoded UTF8 string
> =3F Subject = Distinguished name of user. This field is a
> mandatory
> extension, but the population of this field is optional.
>
>
> Note that the SAN must include the UPN
>
> Brian
> --
> ==
> Brian Komar
> MVP - Windows - Security
>
http://www.identit.ca/blogs/brian
But what to do if UPN points to non-domain user?
For example, my domain is home.com and user’s name in this domain is
user1, but upn in my sertificate = roma@gmail.com
What to do?
And the last, please explain me, how to add CA’s certificate to
NTAuth store in win2k sp4 (without ResourceKit)?
Roman
--
Posted using the
http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Security-PKI-SC-Logon-UPN-ftopict375768.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1710254