Map One Certificate to Multiple Active Directory Accounts using altSecurityIdentities

Christopher Lemus - Versasec
Christopher Lemus - Versasec
  • Updated

Overview

This feature allows administrators to link a single certificate to multiple Active Directory accounts simultaneously. By automating the configuration of the altSecurityIdentities attribute at scale, it eliminates the need for tedious manual updates per user.

Before you begin

Verify that the following requirements are met:

  • vSEC:CMS version 7.4 or later is installed

Configure Roles and Certificates in the Template

  1. Enable the Multi-Role option in the credential template.

    2. Configure roles as needed in the Role(s) section.

    3. Add a certificate under Enroll certificates, and enable the option to update the altSecuritiesIdentities attribute. Click Ok.

    4. Click the altSecuritiesIdentities option and check the roles that will be sharing the attribute.

    Optional Role Configuration: If a secondary AD account might not exist for every single user receiving this credential, ensure you configure that specific role as Optional. This prevents the system from throwing an error and halting the issuance process if it cannot find the secondary account.

Configure Lifecycle Operations

To ensure the AD attribute remains accurate throughout the entire life of the smart card, you must enable the synchronization setting across all relevant template lifecycle stages.

  • Initiate
  • Activate
  • Inactivate
  • Revoke
  • Lock

Issuance and Validation

Once the template configuration is complete, you may proceed with issuing the credential. Upon successful activation, vSEC:CMS will display a prompt confirming that the altSecurityIdentities attribute has been successfully updated in Active Directory for all linked accounts.

Viewing the Linked Attributes in the Console

You can verify the applied attributes and associated roles for any active credential.

  1. Navigate to Repository > Credentials.
  2. Search for and open the credential in question.
  3. Review the credential details pane. You will see a clear breakdown displaying the applied altSecurityIdentities string alongside the specific AD roles (e.g., standard, admin) currently bound to that physical device.