Certificate Mapping

  • Article

You can use certificate mapping to control access to network resources for domain user accounts. You also can use certificate mapping to control access to Web site resources for Internet Information Services.

Domain User Accounts

You can use the Active Directory Users and Computers console (an MMC snap-in) to map user certificates to individual network user accounts. The mapped certificates are used to authenticate users during the Kerberos authentication process. Authenticated users are granted the rights and permissions for user accounts on the basis of ownership of valid certificates. Smart card logon certificates are a special type of mapped certificate. During the smart card logon enrollment process, the system maps the smart card certificates to the users' corresponding Windows 2000 user accounts automatically.

Before you can map certificates, you must point to the Active Directory Users and Computers console, and then click View and Advanced Features . To map certificates, right-click a user account, and then click Name Mappings . When the Security Identity Mapping dialog box appears, click Add to import the certificates that you want to map to the user account. You can map multiple certificates to a user account. For example, you might issue EFS Recovery Agent certificates to smart cards for designated recovery agents and then map the smart card certificates to EFS recovery user accounts. The smart cards are then required to authenticate the EFS recovery agents when logging on to the network for the EFS recovery accounts, providing an additional level of security for them.

You can map certificates only to individual user accounts; not to security groups. If you map certificates that are not stored on smart cards, users can log on only to the mapped user account from the computer where the private key is located, unless smart cards or roaming profiles are being used.

Internet Information Services

For Internet Information Services, you can map certificates to user accounts that control access to Web resources. The mapped certificates are used either to deny access to Web resources or to grant rights and permissions for the mapped user account. You can map one certificate to one user account (one-to-one mapping) or you can map many certificates to one user account (many-to-one mapping). Many-to-one mapping uses rules to define the certificate criteria for mapping. If certificates match the rules, they are mapped to the appropriate account. For example, you can define rules that map certificates to different user accounts on the basis of the specific CA that issued the certificate. All clients with certificates that are issued by a qualifying CA are mapped to the appropriate user account and granted the respective rights and permissions for that account.

For more information about certificate mapping with Internet Information Services, see "Choosing Security Solutions That Use Public Key Technology" in this book.