HOW TO: Configure Active Directory Certificate Mapping (272175)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q272175

IN THIS TASK

SUMMARY

This article describes how to configure Active Directory certificate mapping. Active Directory certificate mapping enables a user with a trusted public key to access directory resources without typing a user name and a password. Active Directory certificate mapping uses the following three components that are included in Windows 2000:

  • Internet Explorer 5.0
  • Internet Information Services (IIS) 5.0
  • Kerberos PKINIT extensions

Requirements

To configure Active Directory certificate mapping, you must have the following components:
  • Windows 2000 Active Directory.
  • A stand-alone certification authority (CA) (it can be either a root or a subordinate).
  • A server certificate that is signed by the stand-alone CA that is installed on your Web server.
  • A User certificate that is signed by the stand-alone CA that is installed on that user's computer.
back to the top

Enable the Active Directory Mapper in IIS 5.0

To enable the Active Directory mapper in IIS 5.0, follow these steps:
  1. Start the Internet Information Services snap-in, right-click the server that is hosting your Web site, and then click Properties.
  2. In the Master properties box, click WWW Service, and then click Edit.
  3. Click the Directory Security tab, and then click to select the Enable the Windows directory service mapper check box
  4. Click OK to accept the changes.
  5. Click OK to close the server properties dialog box.
back to the top

Enable Client Certificate Mapping on Your Web Site

To enable client certificate mapping on your Web site, follow these steps:
  1. Start the Internet Information Services snap-in, right-click the Web site that you want to configure to enable certificate mapping, and then click Properties.
  2. On the Directory Security tab, click Secure communications, and then click Edit.
  3. In the Client certificates section, click Require client certificates, and then verify that the Enable client certificate mapping check box has been selected.
  4. Click OK to accept the changes.
  5. Click OK to close the Web site properties dialog box.
back to the top

Map the Client Certificate to the Corresponding Active Directory User

To map the client certificate to the corresponding Active Directory user, follow these steps:
  1. Export the user's certificate using one of the following methods:

    • Method One

      1. Start the Certificates, Current User snap-in, and then double-click the Personal folder.
      2. Double-click the Certificates folder. A list is displayed that indicates the certificates that are stored in the user's store.
      3. Click the certificate for Secure Sockets Layer (SSL) communication, and then click Export. A wizard is displayed that enables you to export the certificate.

    • Method Two

      If you are running Internet Explorer 5.0 or later, follow these steps:

      1. On the Tools menu, click Internet Options.
      2. Click Content, click Certificates, and then click the Personal tab.
      3. Click the certificate that is used for SSL communications, and then click the Export button. A wizard is displayed that enables you to export the certificate.
    When you come to the end of the wizard, save the certificate to a public folder in Binary or Base64 format so that it can be mapped to the Active Directory user account.

    NOTE: For SSL purposes, the certificate should at least support client authentication.

  2. Start the Active Directory Users and Computers snap-in, right-click your domain, and then click Advanced Options on the View menu.
  3. Open the Users container or the organizational unit where the user account resides, right-click the user account, and then click Name Mapping.
  4. Click Add to link the user's certificate to the Active Directory user account.
  5. Click the public folder where the user certificate was saved, click the user's certificate, and then click Open.
  6. Click to select the Use Subject for alternate security identity check box.
  7. Click OK to accept the mapped certificate.
  8. Click OK to close the Identity Mapping dialog box.
back to the top
Modification Type:MinorLast Reviewed:1/26/2006
Keywords:kbenv kbhowto kbHOWTOmaster KB272175 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.