Partager via

HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute

  • Article

Today I am going to talk a little bit about certificate mapping. This topic is somewhat related to my last post about disabling mapping, but you once you disable the UPN mapping what type of mapping is available to you?

The image below ( stolen from MSDN ) outlines the mapping of user accounts to smartcard logon. The easiest ( and most common) one to understand is the SAN to UPN mapping, where the SAN in the smartcard certificate matches a username’s UserPrincipalName in the AD.

I have noted in green – the ones which are correct and boxed the incorrect ones in red. Oddly enough in one place it says “Issue,Subject, and serial” and in the other it says “X509:<I><SR>” ( which is correct ) and not “X509:<I><S><SR>” ( which is incorrect ) .

clip_image002

The more complex, and less documented ( or documented incorrectly ) are as follows:

·

  • UPN ( self-explanatory unless the cert has this in it and you want to disable it – see my last post for more info on this )
  • Subject and Issuer fields
    • altSecurityIdentities: X509:<I>DC=local,DC=dod,CN=SpatDoD Root CA<S>CN=gman
  • Subject DN
    • altSecurityIdentities: X509:<S>CN=gman
  • Subject Key Identifier
    • altSecurityIdentities: X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41
  • Issuer, and Serial Number
    • altSecurityIdentities: X509:<I>DC=local,DC=dod,CN=SpatDoD Root CA<SR>32000000000003bde810
  • SHA1 Hash
    • altSecurityIdentities: X509:<SHA1-PUKEY>ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd
  • RFC822 name
    • altSecurityIdentities: X509:<RFC822>efedman@fedid.gov

The only one which is kind of tricky ( other than actually knowing the correct identifiers ) is the Serial number. Here is an example of a cert and serial:

clip_image004

When dealing with certificates there is a CERT_CONTEXT data structure which has the CERT_INFO structure which contains the information of a certificate. The specific field which is looked at is ‘SerialNumber’. MSDN describes serial number as follows:

SerialNumber

A BLOB that contains the serial number of a certificate. The least significant byte is the zero byte of the pbData member of SerialNumber. The index for the last byte of pbData, is one less than the value of the cbData member of SerialNumber. The most significant byte is the last byte of pbData. Leading 0x00 or 0xFF bytes are removed. For more information, see CertCompareIntegerBlob.

Note the text in red - this basically means that the last byte is the first byte returned – in other words, reversed. So the serial number as seen in the screen shot above 10e8bd03000000000032, will be read as 32000000000003bde810.

And this (32000000000003bde810 ) is what the code will be looking for, so this is what needs to be entered in the altSecID field.

Alrighty then – now that that’s all cleared up, on to other things.

Spat

Comments

  • Anonymous
    July 01, 2010
    NOTE: I removed the semicolons from the examples ( they are left in from the cut and paste from LDP.EXE -- they now reflect what needs to be manually inserted as the literal value for altSecID -- like "X509:<I>DC=local,DC=dod,CN=SpatDoD Root CA<S>CN=gman"

  • Anonymous
    November 17, 2010
    What does the "Client certificate does not need to meet NT_AUTH policy" notation in the flowchart mean? If the cert doesn't need to meet the NTAuth policy, what policy does it need to meet?

  • Anonymous
    December 29, 2010
    It means that the issuing CA of the cert does not need to be in the NTAuth store. See support.microsoft.com/.../295663 for more info on that store

  • Anonymous
    March 25, 2011
    The comment has been removed

  • Anonymous
    April 28, 2011
    To get the right SerialNumber of a certificate, you can use the command : certutil -dump -v myCert.cer X509 Certificate: Version: 3 Serial Number: 61157eee000000000011    11 00 00 00 00 00 ee 7e 15 61 Then you have your AltSecId : X509:<I>DC=com,DC=fabrikam,CN=fabrikam-FABRIKAMDC1-CA<SR>110000000000ee7e1561

  • Anonymous
    May 01, 2011
    Ahh thanks Gaubert - never noticed that certutil dumped that format

  • Anonymous
    November 05, 2013
    The comment has been removed

  • Anonymous
    October 22, 2014
    For those unable to see X509 hints even after following the above, make sure your smart card vendor doesn't install a credential provider that overrides the default one. Have a look under [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAuthenticationCredential Providers, and make sure any related filters are removed. The cred provider can be disabled with  Disabled=1. Took me a bit to figger that out. J. Danno

  • Anonymous
    October 27, 2015
    Hi, On Windows 7 we would set the LastLoggedOnProvider value under the HKLMSOFTWAREMicrosoftWindowsCurrentVersionAuthenticationLogonUISessionData path to the smart card credential provider which is {8BF9A910-A8FF-457F-999F-A5CA10B4A885} on Windows 7. This would result in the smart card login being the default authentication method but still allow username/password login by clicking "Other Credentials". When we try to set LastLoggedOnProvider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96} which is the new smart card credential provider value on Windows 10, it does not work.  We would like to default the credential provider to smart card instead of username/password.  We still want the username/password to be available so we don't want to completely exclude or disable the credential provider.  In Windows 7 this is relatively straightforward by using the LastLoggedOnProvider values but this does not appear to work for Windows 10.  We do not want to enable the function to remember the last logged on user account as this is prohibited by our security policy. Is there any way in Windows 10 to set the default credential provider for "Other User" to smart card instead of username/password?  Right now when the OS boots up, Other User is defaulted to a username/password login.  The user has to click on the Sign-in Options and then click the Smart Card icon in order to access the smart card login screen. Thanks Josh

  • Anonymous
    October 27, 2015
    Answered my own question here as it appears that there is a group policy in Windows 10 under Computer Configuration>Administrative Templates>System>Logon, and set the value in Assign a default credential provider to {8FD7E19C-3BF7-489B-A72C-846AB3678C96} which is the smart card provider. This does appear to make smart card the default logon provider at the Windows 10 "Other User" screen.  The user can still click sign-in options to switch to username/password if desired.  Hope this helps somebody else for Windows 10 at least.

  • Anonymous
    December 15, 2015
    The comment has been removed