none
AD Name Mappings - Default Accounts RRS feed

  • Question

  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account (one-to-one), the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user. 

    I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach.  However, the mapping of the certificates are by the same organization.  So it seems that a particular user account would map to both the specific account and to the many to one account since the identifiers would be so close.

    Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?

    I hope that makes sense,

    Mark

    Thursday, March 29, 2012 8:18 PM

All replies

  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account, the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user. 

    I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach.  However, the mapping of the certificates are by the same organization.  So it seems that a perticular user account would map to both the specific account and to the many to one account since the identifiers would be so close.

    Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account?

    I hope that makes sense,

    Mark

    • Merged by Bruce-Liu Friday, March 30, 2012 8:27 AM
    Thursday, March 29, 2012 7:50 PM
  • Hello,

    you need to do a 2-factor authentication with Smartcard or RSA token for example. We use RSA with Citrix access gateways, so AD account and Token as second factor. Within the domain logon is possible with only the domain account.

    The security forum is here the better place to ask for options http://social.technet.microsoft.com/Forums/en/winserversecurity/threads


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Thursday, March 29, 2012 7:59 PM
  • I was wondering if it is possible to do the following: I want users to present their client certificate for authentication.  If the certificate is properly mapped to an AD account, the user is logged in as that user.  If there is no corresponding account, the user is logged in as a "default" user.

    Just need to make something clear: this is about client certificate authentication to Web server. You would like to implement one-to-one certificate mapping and have many-to-one mapping as the fall-back option If so, is the web server IIS, and which version?

    -= F1 is the Key =-

    Thursday, March 29, 2012 10:17 PM
  • Please use Security forum and ask your question.

    Here is Security forum link:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, March 29, 2012 11:26 PM
  • Actually it is using TMG 2010 with AD Name Mapping.   Windows Server 2008.

    Thanks

    Mark

    Friday, March 30, 2012 12:53 PM
  • Thanks.  I thought that is the forum I am in now. Mark

    Friday, March 30, 2012 12:54 PM
  • It appears Windows Server 2008 is working as follows:

    1. If a certificates maps directly to an account, the account is used.

    2. If a certificate does not map to aa specific account, but matches a wildcard, the wildcard account is used.

    Thanks everyone,

    Mark

    • Marked as answer by cdr_pfeifer Thursday, April 5, 2012 7:24 PM
    Thursday, April 5, 2012 7:24 PM