Map a Certificate to a User Account

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Membership in Account Operators , Domain Admins , or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To map a certificate to a user account

  1. To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

    To open Active Directory Users and Computers in Windows ServerĀ® 2012, click Start , type dsa.msc .

  2. On the View menu, select Advanced Features .

  3. In the console tree, click Users .

    Where?

    • Active Directory Users and Computers/ domain node /Users

    Or, click the folder that contains the user account.

  4. In the details pane, right-click the user to which you want to map a certificate, and then click Name Mappings .

  5. In the Security Identity Mapping dialog box, on the X.509 Certificates tab, click Add .

  6. Type the name and path of the .cer file that contains the certificate that you want to map to this user account, and then click Open .

  7. Do one of the following:

    • To map the certificate to one account (one-to-one mapping), confirm that both the Use Issuer for alternate security identity check box and the Use Subject for alternate security identity check box are selected.

    • To map any certificate that has the same subject to the user account, regardless of the issuer of the certificate (many-to-one mapping), clear the Use Issuer for alternate security identity check box, and confirm that the Use Subject for alternate security identity check box is selected.

    • To map any certificate that has the same issuer to the user account, regardless of the subject of the certificate (many-to-one mapping), clear the Use Subject for alternate security identity check box, and confirm that the Use Issuer for alternate security identity check box is selected.

Additional considerations

  • To perform this procedure, you must be a member of either the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (ADĀ DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • The certificate that you are mapping to a user account must be in Distinguished Encoding Rules (DER) or Base64 encoded binary format.

  • Another way to bring up Security Identity Mapping dialog box is to right-click a user account, and then click Name Mappings .

Additional references