Mapping with Certificate-Based Authentication

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Certificate-based authentication is more secure than password-based authentication. In addition, when you map certificates to user accounts instead of using password-based authentication methods, an authentication request is not forwarded to the partner organization Remote Authentication Dial-In User Service (RADIUS) server and user account database. For these reasons, certificate mapping enhances security and can significantly reduce logon time for users.

A certificate is mapped to a user account in one of two ways: a single certificate is mapped to a single user account (one-to-one mapping) or multiple certificates are mapped to one user account (many-to-one mapping).

One-to-One Mapping

For one-to-one mapping of certificates to visitor user accounts, you must perform the following tasks:

  • Create a user account for each visitor.

    Because the user account itself is not mapped to the user account at the partner organization, the user account names do not have to exactly match the user account names in the partner organization user accounts database. Configuring the local account with the same user name, however, can make it easier to configure realm manipulation rules.

  • Map the certificate to a user account.

  • Perform cross-certification or authorize the partner organization certification authority (CA) as a qualified subordinate CA by using a computer running Windows Server 2008 and Active Directory Certificate Services (AD CS) or Windows Server 2003, Enterprise Edition, and Certificate Services.

    Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2008 or Windows Server 2003 domain functional level and clients running Windows Vista or Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead.

  • Configure your NPS server or NPS proxy server

    Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with mapped certificates, you are not required to use NPS as a proxy server.

  • Configure a connection request policy for visitor access by using the New Connection Request Policy Wizard.

  • Create a realm manipulation rule to map the partner organization realm name, which is contained in the user certificate, to the local user account of the user.

    For example, if user@example.com is mapped to user@microsoft.com, the realm manipulation rule must replace “@example.com” with “@microsoft.com” by using regular expressions.

  • Configure a network policy for visitor access.

  • Ensure that network access servers (NASs) are configured as RADIUS clients to this NPS server.

    When visitors log on to your network, they do so through NASs, such as wireless access points (APs). These APs must be configured as RADIUS clients to your NPS proxy server or NPS server.

Many-to-One Mapping

Many-to-one certificate mapping allows you to map many certificates to one user account. After you have trusted the enterprise root CA of a partner organization, you can map all certificates issued by the partner organization CA to one account that you create in your local domain. This solution provides ease of management for many users, and eliminates the need to create an individual user account for every visitor to your organization.

For many-to-one mapping of certificates, you must perform the following steps:

  • Perform cross-certification or authorize the partner organization CA as a qualified subordinate CA by using a computer running Windows Server 2008 and AD CS or Windows Server 2003, Enterprise Edition, and Certificate Services.

    Performing cross-certification or authorizing the partner organization CA as a qualified subordinate CA is recommended for domains with a Windows Server 2008 or Windows Server 2003 domain functional level and clients running Windows Vista or Windows XP. If your domains are Windows 2000 native, it is recommended that you use a certificate trust list (CTL) instead.

  • Create one user account and map the partner organization certificates to the account.

  • Configure your NPS server or NPS proxy server

    Because authentication requests are not forwarded to external RADIUS servers when authentication is performed with mapped certificates, you are not required to use NPS as a proxy server.

  • Configure a connection request policy for visitor access by using the New Connection Request Policy Wizard.

  • Create a realm manipulation rule to map the partner organization realm name, which is contained in the user's certificate, to the user's local user account.

    For example, if user@tailspintoys.com is mapped to user@microsoft.com, the realm manipulation rule must replace @tailspintoys.com with “@microsoft.com” by using pattern-matching syntax.

  • Ensure that NASs are configured as RADIUS clients to this NPS server.

  • Configure a network policy for visitor access.

    When visitors log on to your network, they do so through NASs, such as wireless APs. These APs must be configured as RADIUS clients to your NPS proxy server or NPS server.

Note

For strong security between your NPS proxy server and your partner organization RADIUS servers, you can use Internet Protocol security (IPsec).