Azure AD Certificate-Based Authentication - authentication binding policy for CAC cards

Yim, Sam 126 Reputation points
2022-08-17T17:29:23.793+00:00

I just got certificate-based authentication to work for CAC cards using the username binding. Currently I have no rules set up for certificates/policy OIDs for my authentication binding. My question, is it necessary to add certificates/policy OIDs for CAC card authentication? If I leave it as is without any rules set up pertaining certificates/policy OIDS, there shouldn't be a way for a user who isn't in our windows server AD or Azure AD to authenticate to the portal?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,916 Reputation points
    2022-08-17T21:00:26.243+00:00

    Hi Sam,

    Thank you for asking this question on the Microsoft Q&A Platform.

    AFAIK, the username binding policy helps locate the user in the tenant. By default, Subject Alternate Name (SAN) Principal Name in the certificate is mapped to onPremisesUserPrincipalName attribute of the user object to determine the user, so this should be sufficient and do you have MFA authentication enabled for enhance security? This should add additional level of security.

    As per Microsoft the support is for two certificate fields SAN Principal Name and SAN RFC822Name to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName.

    There is a detailed article and steps to verify this proces - concept-certificate-based-authentication-technical-deep-dive

    ===
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.