Can Client Certificates and accounts be mapped automatically, or created on the fly if need be? RRS feed

  • Question

  • I'm having a real headache with this.  I have the following requirements and I can't figure out how to do this.

    We're using IIS 6.0, Windows Server 2003, sharepoint, Active Directory.  We currently have approx. 100K users each of which has registered and been approved for an account.  Each of these users also has a CAC but there is no current mapping UPN or otherwise.  Additionally there are approx. 2 million other users with approved CAC but no accounts.  IIS does not live in the domain of any of the users nor would that be possible.  There are 5 Root CAs within the CAC cards being used.  The customer wants the following.

    1.  Add CAC authentication.  (IIS CAC is pretty easy, still working on adding to sharepoint)

    2.  When a user uses their CAC for the first time, they should be asked to map their CAC to their AD account.   (Not the admin, the user should do this)

    3.  If a user uses a CAC but does not have an AD account, they should be asked to create one.  Users with CAC are automatically approved.  Sharepoint access is granted as soon as they complete the "create user" form.

    4.  If the user is in a location without a CAC reader they should still be able to use their username and password for access.

    NOTE:  upgrade to current version is a valid answer if you can explain how to accomplish the requirements.  Without good reason the customer will not upgrade.


    Thanks - Mark

    Wednesday, March 16, 2011 8:01 AM


  • This forum is specifically intended to address questions and answers pertaining to Rights Management Services in Windows Server. It's not a general security forum. You'd probably get a better answer if you posted your question in the Windows Server Security forum (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads).

    Jim Groves Sr. Technical Writer, Server & Cloud Division, Microsoft
    • Marked as answer by Jim Groves Thursday, March 24, 2011 5:32 AM
    Thursday, March 24, 2011 5:31 AM