Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Active Directory Mapping with RFC822 Name vs. Principal Name?

1,682 views
Skip to first unread message

Ohaya

unread,
Oct 31, 2003, 7:16:21 PM10/31/03
to
[Apologies for cross-posting, as I think this question may straddle both
NGs.]


Hi,

The CA that we are using to produce client certs includes the user's UPN
in the SubjectAltName field, but the certs have:

SubjectAltName=RFC822 Name=username@domainname

e.g.,

SubjectAltName=RFC822 Name=f...@whatever.com


I understand that for AD mapping, it expects:

SubjectAltName=otherName:Principal Name=username@domainname


Is there any way to get Active Directory Mapping to work with these
certs with "RFC822 Name="?

I'm trying to see if we can utilize these currently-issued certs for
client authentication with Active Directory mapping.

Thanks in advance!!!

Krish Shenoy[MSFT]

unread,
Oct 31, 2003, 7:41:24 PM10/31/03
to
Is this a Windows Server 2003 domain. If so does the certificate subject
name have the correct Distinguished name. If so then IIS will try to do S4U
using the subject name in the cert if the UPN cannot be mapped
"Ohaya" <ohaya@NO_SPAM.cox.net> wrote in message
news:3FA2FB55.35484F5C@NO_SPAM.cox.net...

Ohaya

unread,
Oct 31, 2003, 7:56:51 PM10/31/03
to
Krish,

Thanks for the VERY quick reply.

Answers to your questions:

1) Yes, server is a Windows 2003 Server, with Active Directory. Server
is the (only) DC.

2) The Subject in the client certs look like (viewed using MS Cert
applet->Details tab), for example:

CN = User1 Name
OU = Testing
OU = Test
O = Acme Corp.
C = US

3) The Subject Alternative Name (again in cert applet->Details), for
example:

RFC Name=Us...@foo.com


I had a (slim) hope that IIS and Active Directory/UPN mapping would be
smart enough to parse the email address out of the Subject Alternative
Name, because (obviously) the CA won't make special certs just for us
:(.

Is there any way to do this? Maybe some kind of registry setting that
would get IIS to look for RFC822 Name instead of otherName:Principal
Name?


BTW, what is "S4U"?


Thanks!!

John Banes [MS]

unread,
Oct 31, 2003, 9:13:23 PM10/31/03
to
The AD certificate mapper will look for the user UPN in the OtherName field
of the SubjectAltName extension. If the UPN isn't found there, then it will
look for the UPN in the CN field of the certificate's Subject--obviously,
this method isn't encouraged.

There is currently no way to configure the mapper to use the RFC822 field.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

"Ohaya" <ohaya@NO_SPAM.cox.net> wrote in message

news:3FA304D3.4B34EE31@NO_SPAM.cox.net...

Ohaya

unread,
Oct 31, 2003, 10:01:05 PM10/31/03
to
John,

I was afraid that you all would say that :(, but I do appreciate the
information.

Also, I'm still curious what "S4U" meant/referred to?

Dean Wells [MVP]

unread,
Oct 31, 2003, 10:24:30 PM10/31/03
to
Ohaya wrote:
> John,
>
> I was afraid that you all would say that :(, but I do appreciate the
> information.
>
> Also, I'm still curious what "S4U" meant/referred to?
>


A Kerberos extension known as Service-for-User-to-xxx where xxx is, for
example, self (S4U2Self). Further information can be found here -

http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/

HTH

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


0 new messages