AD Name Mappings - Default Accounts
-
29 марта 2012 г. 20:18
I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account (one-to-one), the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user.
I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach. However, the mapping of the certificates are by the same organization. So it seems that a particular user account would map to both the specific account and to the many to one account since the identifiers would be so close.
Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?
I hope that makes sense,
Mark
Все ответы
-
29 марта 2012 г. 19:50
I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account, the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user.
I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach. However, the mapping of the certificates are by the same organization. So it seems that a perticular user account would map to both the specific account and to the many to one account since the identifiers would be so close.
Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?
I hope that makes sense,
Mark
- Объединено Bruce-LiuModerator 30 марта 2012 г. 8:27
-
29 марта 2012 г. 19:59
Hello,
you need to do a 2-factor authentication with Smartcard or RSA token for example. We use RSA with Citrix access gateways, so AD account and Token as second factor. Within the domain logon is possible with only the domain account.
The security forum is here the better place to ask for options http://social.technet.microsoft.com/Forums/en/winserversecurity/threads
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Изменено Meinolf WeberMVP 29 марта 2012 г. 20:00
- Предложено в качестве ответа Ace Fekay [MCT]MVP 29 марта 2012 г. 21:28
-
29 марта 2012 г. 22:17
Just need to make something clear: this is about client certificate authentication to Web server. You would like to implement one-to-one certificate mapping and have many-to-one mapping as the fall-back option If so, is the web server IIS, and which version?I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account, the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user.
-= F1 is the Key =-
-
29 марта 2012 г. 23:26
Please use Security forum and ask your question.
Here is Security forum link:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Предложено в качестве ответа AjayKumar sharma 29 марта 2012 г. 23:45
-
30 марта 2012 г. 12:53
Actually it is using TMG 2010 with AD Name Mapping. Windows Server 2008.
Thanks
Mark
-
30 марта 2012 г. 12:54
Thanks. I thought that is the forum I am in now. Mark
-
5 апреля 2012 г. 19:24
It appears Windows Server 2008 is working as follows:
1. If a certificates maps directly to an account, the account is used.
2. If a certificate does not map to aa specific account, but matches a wildcard, the wildcard account is used.
Thanks everyone,
Mark
- Помечено в качестве ответа cdr_pfeifer 5 апреля 2012 г. 19:24
.png)
