Introduction
In Active Directory you can use certificate mapping to bind an identity to a X.509 certificate, which then can be used to authenticate against services from Microsoft. From version 6.6.1 of vSEC:CMS it is possible to configure such mappings of a user certificate to altSecurityIdentities attribute in Active Directory. In order to configure support for this feature it needs to be enabled in the particular card template that this feature is to be used.
If you are issuing from the Admin or Agent console it is important that the AD connection that you are connecting with for the particular template has write permissions. From Options – Connections ensure that you have configured a connection to AD with a credential that has appropriate permissions to write to the altSecurityIdentities attribute. If the credential token is being issued through the vSEC:CMS User application it will be necessary for the Windows account that the vSEC:CMS service runs under to have write permissions on the AD attribute.
You need to have the Domain Controller (DC) configured to support this mechanism. Typically this can be done by enabling a DWORD named UseSubjectAltName with a value of 0 (zero) in this location [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc] on the DC. Please consult with your IT team responsibile for managing your DC's for this.
Configure
1. From Templates - Card Templates select an existing template and click Edit.
2. Click the link for Issue Card. In the Enroll Certificates section when you either add a certificate or edit an existing certificate in the table where the particular certificate needs to be mapped to altSecurityIdentities attribute then enable the Update (altSecurityIdentities) check box .
3. Depending on when you wish to have the altSecurityIdentities attribute updated to, you will need to configure this from each of the different life cycle states. For example, if you wish to write data when the card is activated then select the Activate Card option and enable the Update {altSecurityIdentities} at AD option.
By default vSEC:CMS will only write the certificate issuer and or the subject or the serial number details to the altSecurityIdentities attribute. Since version 6.9 it is possible to configure the format as per the table below. For details on how to configure this in vSEC:CMS please email support@versasec.com.
Define | Value | Encoding |
AdAltSecFormat_Default | 0 | <I><S> or <I><SR> |
AdAltSecFormat_SubjectOnly | 1 | <S> |
AdAltSecFormat_KeyIdentifier | 2 | <SKI> |
AdAltSecFormat_Serial | 3 | <I><SR> |
AdAltSecFormat_IssuerSubject | 4 | <I><S> |