locked
Certificate Renewal RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    1- We use MS certificate mapping to login to multiple AD user accounts with the same smartcard. Caroline Philie smartcard is allowed to login to the Caroline Philie AD user account and the ARole AD user account.


    2- When I select the following options in the smartcard logon certificate template:

        - In the subject name tab: Build from Active Directory information, Fully distinguished name, E-mail name

        - In the Issuance Requirement tab: This number of authorized signature = 1, Application policy, Certificate Request Agent, Valid existing certificate

      • Caroline Philie smartcard can login successfully to the Caroline Philie user account and she can renew her logon certificate successfully.
      • Caroline Philie smartcard can login successfully to the ARole user account but she cannot renew her certificate. This error message is displayed: CERTSRV_E_SIGNATURE_REJECTED One or more signatures did not include the required application or issuance policies. The request is missing one or more required valid signature.

      3- To support certificate renewal in the ARole AD user account for Caroline smartcard, I select the following options in the smartcard logon certificate template:

         

          - In the subject name tab: Supply in the request, Use subject information from existing certificates for autoenrollment renewal requests

          - In the Issuance Requirement tab: This number of authorized signature = 1, Application policy, Certificate Request Agent, Valid existing certificate

      • Caroline Philie smartcard can login successfully to the Caroline Philie user account and she can renew her logon certificate successfully.
    • Caroline Philie smartcard can login successfully to the ARole user account and she can renew her logon certificate successfully.

    4- But, with this template the Enrollment Agent has to supply the subject name manually when issuing certificates. He cannot select an AD User.

    5- Does a configuration exists to build the subject name from active directory when issuing certificates and use the subject information from existing certificates for autoenrollment and renewal requests?

    Thursday, September 1, 2016 1:18 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    In an Ideal word, it would be great to allow the EA to select the AD User account to fill the subject name. And to use subject information from existing certificates for autoenrollment renewal requests.

    Hi Caroline,

    Thank you for the clarification!

    It is in my opinion that there is no built-in method to achieve this goal, which might require scripting or third party tool.

    Best Regards,

    Amy

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 12:29 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Please correct me if I understand this scenario wrong, is one certificate mapped to two user accounts?

    Best Regards,

    Amy

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 2, 2016 12:46 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Amy,

    Yes, you are correct. Microsoft offers a feature called Name Mapping. Please see this link.(https://blogs.technet.microsoft.com/askds/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts/)

    With this feature I can export my smartcard public certificate and map it to desired AD User accounts on Windows Server 2012 R2. With my example, my caroline smart card can login to the Caroline Philie AD User Account and also to the ARole AD User Account. In summary:

    • I map the Caroline certificate to Caroline AD Account
    • I map Caroline certificate to the ARole AD Account
    • My login certificate template is set to build the subject name from AD
    • When the certificate subject name is build from AD, I get an error when I tried to renew my caroline certificate with the ARole account. With the Caroline account the renewal works fine.
    • I changed my login template to be able to renew my caroline certificate in both account (ARole and Caroline). I select:Supply in the request, Use subject information from existing certificates for autoenrollment renewal requests instead of Build from this Active Directory information. And the renewal works fine with both account with this login template configuration.

    But with this template settings, the Enrollment Agent has to fill the User subject name manually when issuing Users smartcards (The EA cannot use the Enroll On Behalf Of certificate request he must use Request New Certificate). In an Ideal word, it would be great to allow the EA to select the AD User account to fill the subject name. And to use subject information from existing certificates for autoenrollment renewal requests.

    Best Regards,

    Caroline

    Friday, September 2, 2016 1:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    In an Ideal word, it would be great to allow the EA to select the AD User account to fill the subject name. And to use subject information from existing certificates for autoenrollment renewal requests.

    Hi Caroline,

    Thank you for the clarification!

    It is in my opinion that there is no built-in method to achieve this goal, which might require scripting or third party tool.

    Best Regards,

    Amy

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 12:29 PM