Automating certificates mapping to User Account in AD

Tung Le 6 Reputation points
2022-10-19T07:42:45.277+00:00

Hi team,

I have question regarding mapping a certificate to a user account.
It's really difficult to me if to do the manual steps. The scenario as below:

  1. Clients get certificates automatically via IIS services. (it's done)
  2. The AD will create the user account with same name with certificate's name
  3. Mapping the certificate and the user name. The manual step as below:
    a. Open Active Directory Users and Computers/domain node/Users
    b.. Right-click the user and click Name Mappings.
    c. In the Security Identity Mapping dialog box, on the X.509 Certificates tab, click Add.

Is it possible to script for automate the mapping process from step 2 ->3 ? (vbs, powershell, cmd etc.)

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,049 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,833 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Vadims Podāns 9,121 Reputation points MVP
    2022-10-19T08:04:15.143+00:00

    The steps order is a little bit weird. It should be in this order:

    1. Create user account in AD
    2. Let user to login to web enrollment portal using AD account credentials
    3. Enroll for user certificate (or other user template that builds subject automatically and include Client Authentication, for example User template)
    4. Done.

    The most important is step 3: when you use template that builds subject from AD and include user UPN in SAN extension, then your step 3 is unnecessary, because client certificate is bound to a user account implicitly via UPN match.

    0 comments No comments

  2. Tung Le 6 Reputation points
    2022-10-19T08:07:20.907+00:00

    Hi @Vadims Podāns

    Thanks for your quick response. I'm using non-domain joined computer and get the certificate via SCEP proxy which's uses IIS services to send the request to get certificates.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.