Reset Search
 

 

Article

KB24522 - How to restrict user certificate authentication to Active Directory users only

« Go Back

Information

 
Last Modified Date11/23/2015 10:01 PM
Synopsis
This article provides information on how to restrict user certificate authentication to only Active Directory users.
Problem or Goal
  • The certificate is configured as the primary authentication server and Active Directory is configured as the secondary authentication server.
  • When User A selects certificate 'A' and types User B’s user name and password, they can access it.
  • Similarly, when User B selects their certificate and types user A’s username and password, they can access it.
  • This article provides information on how to restrict user A’s certificate to only User A’s domain credentials.
Cause
Solution
Every certificate contains the subject name as CN. For example, CN = John D, CN = Users, DC = train, DC = local. Refer to the following image:




The CN attribute is also used in LDAP. So, you can configure LDAP as the auth server for AD and configure the filter for finding the user entry as CN=<USER>; as shown in the following image:




Now go to the Realm, which is configured for the certificate, configure the LDAP as secondary auth server and configure predefined with the <certattr.cn> attribute; as shown in the following image:




When you access the URL, the Choose a digital certificate window is displayed:




Subsequently, the LDAP password window is displayed:



After typing the required credentials, you will have access.

Excerpt from the Policy trace:
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userDNText@John LDAP = "CN=John D,CN=Users,DC=train,DC=local"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userAttr@John LDAP.cn = "John D"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userAttr@John LDAP.sAMAccountName = "john"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Mapped to roles John by rule 'certAttr.cn = '*''
info - [10.130.35.244] - Root::John D (John)[] - 2011/08/13 05:05:04 - Realm John mapped user John D to roles John
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Role restrictions successfully passed for roles: John
info - [10.130.35.244] - Root::john d(John)[John] - 2011/08/13 05:05:04 - Sign-in successful, creating session
info - [10.130.35.244] - Root::John D(John)[John] - 2011/08/13 05:05:04 - Session created, redirecting user to start page. Sign-in done.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255