none
Account expires and Client Certificate Mapping RRS feed

  • Question

  • I am testing a user account that has an account expired date in the past.  When I attempt to authenticate using RSA Access Manager, i see mevent messages stating the account is expired and a Windows token will not be created.

     

    However, when we use client certificates and named mappings in AD, the user is authenticated and let into the web site.

    Is there something I am missing regarding Account Expires and why the user is still allowed in using certificates?

    Thanks

    Mark

    Wednesday, November 30, 2011 4:24 PM

Answers

  • One-to-one mapping is a type of AD mapping where each user has it's own AltSecurityIdentity.

    In any case a simple capture will reveal what is the DC returning to the IIS. As I mentioned above you can try disabling an account and see if that fails , alternatively you can switch test a SAN UPN mapping.

    Here you can see a chart of what are the different methods:

    http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx

    Sunday, December 4, 2011 10:59 AM

All replies

  • Hi,

     

    I would like to confirm the following questions:

     

    1.     What do you mean “However, when we use client certificates and named mappings in AD, the user is authenticated and let into the web site.”?

    2.     Can you log into domain client with the expired account?

    3.     Does these domain client disconnect to the domain?

    4.     Did this account logged into domain client before it expired?

     

    Based on the current situation, please modify the following registry to clear cached passwords and check the result:

     

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

     

    ValueName: CachedLogonsCount

    Data Type: REG_SZ

    Values: 0 - 50

     

    If you change the Value to “0”, it will not store the credentials. The default cached count is 10.

     

    Regards,

     

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Arthur Li

    TechNet Community Support

    Thursday, December 1, 2011 9:21 AM
    Moderator
  • Thank you. More information...

    1. Project Server 2007 with AD 2003 and IIS.
    2. All "users" are domain users in AD and do not physically log on to a server.
    3. Users access the web site which requires client certificates and has the mapping attributes set.
    4. All users have the altSecurityIdentity field set with the client certificate information.

    With that said, we set an Account Expires date for a user (9/1/2008 for example).  The user accesses the web site, presents a certificate, enters a pin and the user is allowed in to the web site.  The web server logs a logon attempt for the user, but it seems the account expires date is not checked when using certificate mappings.

    As for your questions, actually using the user account and logging on to the server, the user is presented with an account is expired message and not allowed to go any further.

    Registry setting is already zero.

    Thanks

    Mark

     


    • Edited by cdr_pfeifer Thursday, December 1, 2011 4:21 PM
    Thursday, December 1, 2011 4:20 PM
  • If you're using one-to-one mapping then it is strange :) Can you try disabling that account whether you get the same result ?
    Thursday, December 1, 2011 5:00 PM
  • Not one-to-one mapping in IIS.  IIS is set to Windows Directory Services mapping and client certificate mapping.  The mapping is actually done in AD. 

     

    Oddly enough, TMG 2010 handles this and does not allow the user in due to an expired account error.

     

    Thursday, December 1, 2011 6:02 PM
  • One-to-one mapping is a type of AD mapping where each user has it's own AltSecurityIdentity.

    In any case a simple capture will reveal what is the DC returning to the IIS. As I mentioned above you can try disabling an account and see if that fails , alternatively you can switch test a SAN UPN mapping.

    Here you can see a chart of what are the different methods:

    http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx

    Sunday, December 4, 2011 10:59 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Arthur Li

    TechNet Community Support

    Thursday, December 8, 2011 7:04 AM
    Moderator