What's New in AD DS: Authentication Mechanism Assurance

  • Article

Applies To: Windows Server 2008 R2

What are the major changes?

Authentication mechanism assurance is a new feature in Active Directory Domain Services (AD DS) in Windows Server 2008 R2. This feature is not enabled by default. It requires a domain functional level of Windows Server 2008 R2 as well as a certificate-based authentication infrastructure and additional configuration.

What does authentication mechanism assurance do?

When you enable it, authentication mechanism assurance adds an administrator-designated, universal group membership to a user's access token when the user's credentials are authenticated during logon with a certificate-based logon method. This makes it possible for network resource administrators to control access to resources, such as files, folders, and printers, based on whether the user logs on with a certificate-based logon method and the type of certificate that is used for logon. For example, when a user logs on with a smart card, the user's access to resources on the network can be specified as different from what that access would be when the user does not use a smart card (that is, when the user types a user name and password). Without authentication mechanism assurance, there is no distinction in the access token of a user who logs on with certificate-based authentication and a user who logs on with a different method of authentication.

Who will be interested in this feature?

This feature is intended to be used with Active Directory Federation Services (AD FS), custom authorization schemes, or both. Therefore, organizations that have or plan to deploy AD FS or custom authorization schemes will be interested in this feature.

The following groups or people might be interested in these changes:

  • Information security administrators or officers

  • Enterprise administrators

  • Secured resource administrators

  • Information security and regulatory compliance auditors

  • Chief information officers (CIOs)

Are there any special considerations?

This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.

What new functionality does this feature provide?

Authentication mechanism assurance makes it possible for access to network resources to be controlled to recognize certificate-based logons using certificates that were issued by specific certificate issuance policies. When a certificate-based logon method (for example, smart-card logon) is used and authentication mechanism assurance is enabled, an additional group membership is added to the user's access token during logon. An administrator links the universal group membership to a specific certificate issuance policy, which is included in the certificate template. Because different certificate issuance policies can be linked to different universal groups, the administrator can use group membership to identify whether a certificate was used during the logon operation. The administrator can also distinguish between different certificates based on the certificate issuance policy object identifier (OID) that corresponds to the certificate issuance policy from which the certificate was issued. Ultimately, authentication mechanism assurance makes it possible for resource administrators to secure resources by using group memberships that recognize that a user was authenticated with a certificate-based authentication method that used a certificate that was issued from a particular certificate issuance policy.

For example, assume a user named Tom has a smart card with a certificate that was issued from a certificate issuance policy named Top Secret. If authentication mechanism assurance is used to map certificates issued from the Top Secret certificate issuance policy to provide membership in a universal group named Top Secret Users, when Tom logs on using his smart card, he receives an additional group membership indicating that he is a member of Top Secret Users. Resource administrators can set permissions on resources so that only members of Top Secret Users are granted access. This means that when Tom logs on using his smart card, he can access resources that grant access to Top Secret Users, but he cannot access those resources when he logs on without using the smart card (for example, by typing a user name and password).

How should I prepare to deploy this feature?

If you want to implement authentication mechanism assurance, the domain functional level has to be increased to Windows Server 2008 R2. You must also have or establish a certificate-based authentication method. The certificates to be used for logon must be distributed from a certificate issuance policy, because it is the certificate issuance policy OID that is linked to a universal security group membership.

Which editions include this feature?

Authentication mechanism assurance is available in the following editions of Windows Server 2008 R2 (including editions without Hyper-V™):

  • Windows Server 2008 R2 Standard

  • Windows Server 2008 R2 Enterprise

  • Windows Server 2008 R2 Datacenter

Windows Web Server 2008 R2 does not include Active Directory Domain Services (AD DS). Therefore, Windows Web Server 2008 R2 cannot be used to enable or implement authentication mechanism assurance. However, any client or server operating system that is able to interpret Windows® access tokens, including Windows Web Server 2008 R2, can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.

Additional references

To learn how to implement authentication mechanism assurance, see the following Step-by-Step guides: