Map certificates to user accounts
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After you have decided how you are going to distribute your certificates, you must decide how to get the certificates to the intended clients, whether they are computers, internal users, or external users. You need to use certificate mapping for many types of certificates, such as those used for smart card logons.
If you have Active Directory, you can map certificates to clients based on their domain or organizational unit membership.
You must decide how you define subject and issuer name information in certificates because this directly impacts applications that use PKIs. For example, if a certificate does not contain the e-mail address name as part of the Subject or Subject Alternative name, some older e-mail applications cannot accept the certificate for digitally signing or encrypting e-mail messages.
Certificate mapping allows you to provide a more secure method for user authentication. With certificate mapping, you link a specific certificate to the account of a user. A server application can then use public key technology to authenticate the user by means of this certificate.
When certificate mapping is enabled, users are authenticated in Active Directory on the authority of the mapped certificates, and are granted rights and permissions based on the authentication.
You can map certificates to user accounts in the following ways:
One-to-one mapping. This creates an association between an individual certificate and a corresponding user account in Windows 2000 or Windows Server 2003.
Many-to-one mapping. This creates an association for all certificates from a specific CA to a Windows 2000 or Windows Server 2003 user account.
You can also use certificate mapping to authenticate external users who do not have an account in Active Directory.
Using One-to-One Mapping
One-to-one mapping requires more administrative effort than many-to-one mapping. Use one-to-one mapping when you have a relatively small number of clients. If you decide to use one-to-one mapping for a large number of clients, develop custom Web enrollment pages by using Active Server Pages (ASP) technology to automate the mapping process.
Using Many-to-One Mapping
Many-to-one mapping is useful for authenticating large numbers of users who require access to a given resource on your network, such as an internal Web site. The CA that issues certificates to these users must be chained to a trusted root for your site, domain, organizational unit (OU), or forest. You can then set rules that map all certificates issued by that CA to a single user account in Windows Server 2003.
Mapping rules check the information that is contained in the certificates of users, such as user organization and the issuing CA, to determine whether the information matches certain criteria. When the information in a user certificate matches the criteria, the user is mapped to a specified user account. The permissions set on the user account apply to all users who hold certificates issued from the trusted CA.
You can use separate many-to-one certificate mappings for different groups that require access to resources on your network. You can configure user accounts that grant different sets of rights and permissions on the basis of client ownership of valid certificates that match the mapping rules. For example, you can map your employees to a user account that grants read access to the entire Web site. Then, you can map consultants and employees of business partners to other user accounts that allow access only to non-confidential information and selected proprietary information.
Selecting IIS vs. Active Directory Mapping
You can use either Internet Information Services (IIS) or Active Directory to create your mapping. When IIS does the mapping, the certificate is compared to a list of rules that IIS maintains in its database until it finds a rule that matches the account indicated. You can configure IIS mapping for each Web server. This type of mapping is useful if you need only a limited number of mappings or a different mapping on each Web server.
In Active Directory mapping, when the IIS server receives a certificate from the user, it passes it on to Active Directory, which maps it to a Windows 2000 or Windows Server 2003 user account. The IIS server then logs on the account.
You can create an Active Directory mapping in one of two ways. You can rely on UPN mapping, or, if UPN mapping is not possible, you can manually map a certificate to the account of a user.
Use Active Directory mapping when the account mappings are identical on all IIS servers. Active Directory mapping is easier to maintain than IIS mapping because you only have to create the mapping in one location.
For more information about creating a mapping, see "Mapping certificates to user accounts" in Help and Support Center for Windows Server 2003.