PKI SC Logon with no UPN.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hey,

I want to enable a Smart Card Logon using a Certificate issued by 3rd party.
one way which is the easy way is to add that CA in to directory - but this
option would require the certificate to contain a UPN.

My Q is :
how can i allow a logon based on 3rd Party Certificate of user
authentication (probably Client Authentication), what does it require - if
possiable ? and how can it be restricted.

The Designed Enviorment is Win 2k3 Forest with Ent CA (Net 1), Users of Net1
is required to log on into Net1 using existing 3rd Party issued Auth
certificates.

Thanks,

Lavie.
 
microsoft.public.win2000.security news group, =?Utf-8?B?TGF2aWUgQkI=?=
I want to enable a Smart Card Logon using a Certificate issued by 3rd party.
one way which is the easy way is to add that CA in to directory - but this
option would require the certificate to contain a UPN.

My Q is :
how can i allow a logon based on 3rd Party Certificate of user
authentication (probably Client Authentication), what does it require - if
possiable ? and how can it be restricted.
Click to expand...

If you can't get whomever is providing you with the certificate to add
the UPN to the SAN, then you're not going to be able to use those
certificates for smart card logon. The UPN in the SAN is required.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".
 
Hey,

And 10x for the quick replay - but it isn't the right way...
what you have written I have already mentioned in the beginning of my note.
Is that a Certified final answer or one based on previous study ?

I made some research according to some MS articles, I found two ways
mentioned.
* the first option regards trusting out of forest CA and enabling login
according to the UPN - which is obvious and relatively easy to implement on a
closed environment.
* the second option which I found very little Technical data on is mapping
certificate to user (domain - *** not IIS mapping ***) - in this point the
Technical data I found mentioned it is possible to insert the certificate to
the AD (manually as far as I understood) in order to allow logon.

my interest is in the second implementation and Technical data related (such
as what is the applications that can be preformed, what does it require ?
e.g. : EKU - Smart Card Logon)

Any Help would be welcomed.

Lavie.
Security Consultant.

*********************************************
 
Hey,

And 10x for the quick replay - but it isn't the right way...
what you have written I have already mentioned in the beginning of my note.
Is that a Certified final answer or one based on previous study ?

I made some research according to some MS articles, I found two ways
mentioned.
* the first option regards trusting out of forest CA and enabling login
according to the UPN - which is obvious and relatively easy to implement on a
closed environment.
* the second option which I found very little Technical data on is mapping
certificate to user (domain - *** not IIS mapping ***) - in this point the
Technical data I found mentioned it is possible to insert the certificate to
the AD (manually as far as I understood) in order to allow logon.

my interest is in the second implementation and Technical data related (such
as what is the applications that can be preformed, what does it require ?
e.g. : EKU - Smart Card Logon)
Click to expand...
<snip>

As Paul answered previously, you must have the UPN in the certificate
for smart card logon. In addition, you must ensure that the CA that
issued the certificate is added to the NTAuth store in AD.

No UPN = No smart card logon

For details on what is required to issue smart card certs from a 3rd
party CA, see the following KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245

From the article:

The smart card certificate has specific format requirements:=3F The CRL
Distribution Point (CDP) location (where CRL is the Certification
Revocation List) must be populated, online, and available. For example:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://server1.name.com/CertEnroll/caname.crl
=3F Key Usage = Digital Signature
=3F Basic Constraints [Subject Type=End Entity, Path Length
Constraint=None] (Optional)
=3F Enhanced Key Usage ==3F Client Authentication (1.3.6.1.5.5.7.3.2)
(The client authentication OID) is only required if a certificate is
used for SSL authentication.)
=3F Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

=3F Subject Alternative Name = Other Name: Principal Name= (UPN). For
example:
UPN = (e-mail address removed)
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
=3F Subject = Distinguished name of user. This field is a mandatory
extension, but the population of this field is optional.


Note that the SAN must include the UPN

Brian
 
Brian Komar said:
Hey,

And 10x for the quick replay - but it isn't the right way...
what you have written I have already mentioned in the beginning of my note.
Is that a Certified final answer or one based on previous study ?

I made some research according to some MS articles, I found two ways
mentioned.
* the first option regards trusting out of forest CA and enabling login
according to the UPN - which is obvious and relatively easy to implement on a
closed environment.
* the second option which I found very little Technical data on is mapping
certificate to user (domain - *** not IIS mapping ***) - in this point the
Technical data I found mentioned it is possible to insert the certificate to
the AD (manually as far as I understood) in order to allow logon.

my interest is in the second implementation and Technical data related (such
as what is the applications that can be preformed, what does it require ?
e.g. : EKU - Smart Card Logon)
Click to expand...
<snip>

As Paul answered previously, you must have the UPN in the
certificate
for smart card logon. In addition, you must ensure that the CA
that
issued the certificate is added to the NTAuth store in AD.

No UPN = No smart card logon

For details on what is required to issue smart card certs from
a 3rd
party CA, see the following KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281245

From the article:

The smart card certificate has specific format
requirements:=3F The CRL
Distribution Point (CDP) location (where CRL is the
Certification
Revocation List) must be populated, online, and available. For
example:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://server1.name.com/CertEnroll/caname.crl
=3F Key Usage = Digital Signature
=3F Basic Constraints [Subject Type=End Entity, Path Length
Constraint=None] (Optional)
=3F Enhanced Key Usage ==3F Client Authentication
(1.3.6.1.5.5.7.3.2)
(The client authentication OID) is only required if a
certificate is
used for SSL authentication.)
=3F Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

=3F Subject Alternative Name = Other Name: Principal Name=
(UPN). For
example:
UPN = (e-mail address removed)
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
=3F Subject = Distinguished name of user. This field is a
mandatory
extension, but the population of this field is optional.


Note that the SAN must include the UPN

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
Click to expand...

But what to do if UPN points to non-domain user?
For example, my domain is home.com and user’s name in this domain is
user1, but upn in my sertificate = (e-mail address removed)
What to do?
And the last, please explain me, how to add CA’s certificate to
NTAuth store in win2k sp4 (without ResourceKit)?

Roman
 
Back
Top