Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

A Guide To Client Certificate Mapping In Active Directory

Key Points
  • Microsoft implements certificate mapping in AD by connecting a client's AD identity to a digital certificate so they can use Microsoft applications. However, this is limited to AD authentication only.
  • Microsoft also provides IIS Client certificate mapping, which allows for one-to-one and many-to-one client mapping but lacks a UI and is thus unusable.
  • SecureW2s CloudRADIUS and its Dynamic RADIUS Engine facilitate real-time policy enforcement during authentication.
  • It integrates with major cloud identity providers, enabling easy certificate-based authentication for users and devices in Windows, iOS, and Google environments.

Certificate mapping, in a general sense, refers to the tying of an identity to an X.509 digital certificate. In practice, the term is mostly used in the context of Microsoft’s “client certificate mapping” feature, wherein a client’s Active Directory identity is mapped to a certificate which can then be used to login to Microsoft services.

The important thing to understand about Microsoft’s certificate mapping is that it is a very limited application of certificate-based authentication. The certificate is only used to authenticate to Active Directory, so if an otherwise valid certificate is presented but there is no associated client in AD, it will fail to authenticate.

To clarify, here is an overview of the difference between the Windows authentication flow and a more typical certificate authentication flow.

Authentication Flow for Windows/Active Directory Certificate Authentication

  1. Ask user for certificate or user account name
  2. Look up user in Active Directory
  3. Check user account is fine (not disabled, locked out, etc)
  4. Ask user for certificate and proof of private key
  5. User provides both
  6. Pass both to an Active Directory Domain Controller to perform user logon
  7. Domain Controller says ok and returns user logon session
  8. Optional: Extract user details from login session
  9. Successful logon

Authentication Flow for Standard Certificate Authentication

  1. Ask user for certificate and proof of private key
  2. User provides both
  3. Optional: Extract user details from the certificate
  4. Optional: Use third party identity provider to check user account (“account lookup”)
  5. Optional: Apply policies based on information returned from identity provider
  6. Successful logon

The difference between the two flows is clear – Microsoft’s implementation merely layers certificate authentication on top of their (antiquated) AD logon, rather than taking advantage of the superior security and speed of certificate auth.

Client Certificate Mapping without Active Directory

To their credit, Microsoft offers an alternative that is more in line with what we all expect from certificate authentication: IIS Client Certificate Mapping. It supports one-to-one client certificate mapping and many-to-one (multiple certificates for the same client), as well as the ability to custom configure your own directory.

It’s not exactly a huge upgrade – the feature isn’t default, so you’ll need to install it first. There’s also no user interface for configuring IIS Client Certificate Mapping authentication for IIS 7, so you’ll have to code it yourself.

Enhanced Client Certificate Mapping Features

If both of those options sound like a lot of hassle to you – you’re not alone.

The lack of meaningful support from Microsoft, even decades after the X.509 certificate standard was developed, is a large part of the reason for the slow adoption of a clearly superior authentication technology. The sheer ubiquity of AD environments and its native indifference towards certificates has steered the industry to the much more accessible (and much more vulnerable) PEAP-MSCHAPv2.

And, honestly, that’s a shame. Digital certificates can be used for all manner of authentication and security needs: from desktop, Wi-Fi, and VPN login to federating directories and enabling passwordless authentication.

SecureW2’s Cloud RADIUS enables organizations to have their (certificate) cake and eat it too. Rather than Microsoft’s paradigm of tying a certificate to a client for the express purpose of logging into AD, we typically issue certificates to a user on a specific device (without restrictions on what it can authenticate to).

It might sound like semantics, but the practical differences are enormous. This tactic allows for a more granular network control and monitoring, high-certainty identity management, and a more intuitive certificate management experience.

Combined with our innovative Dynamic Policy Engine, SecureW2’s Cloud RADIUS can perform account or user lookup at the moment of authentication. Adding that step to your traditional certificate authentication flow enables real-time policy enforcement at a certificate and directory level – and our product is compatible with every cloud identity provider, not just Active Directory.

If you want to fortify your network security with certificates, you’ll appreciate our robust certificate management solution. We have affordable options for organizations of every size. Click here to see our pricing.

 

Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

A Guide To Client Certificate Mapping In Active Directory