This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
TLS User Mapping Extension
TLS User Mapping Extension

Version management

Difference between version and

At line 1 added 19 lines
!!! Overview
[{$pagename}] defined in [RFC 4681] defines a [TLS extension] and a payload for the SupplementalData handshake message, defined in [RFC 4680] [N6], to accommodate mapping of users to their user accounts when using [TLS] client authentication as the authentication method.
The new [TLS extension] (user_mapping) is sent in the [clientHello] message. Per convention defined in [RFC 4366] [N4], the server places the same extension (user_mapping) in the [serverHello] message, to inform the client that the server understands this extension. If the server does not understand the extension, it will respond with a [serverHello] omitting this extension, and the client will proceed as normal, ignoring the extension, and not include the UserMappingDataList data in the TLS handshake.
If the new extension is understood, the client will inject UserMappingDataList data in the SupplementalData handshake message prior to the Client's [CertificateRequest] message. The server will then parse this message, extracting the client's domain, and store it in the context for use when mapping the certificate to the user's directory account.
No other modifications to [TLS] are required. The messages are detailed in the sections of [RFC 4681]
!! 6. UPN Domain Hint (Informative) From [RFC 4681] Section 6
The [{$pagename}] specification provides an informative description of one user mapping hint type for Domain Name hints and [User Principal Name] hints. Other hint types may be defined in other documents in the future.
The [User Principal Name] (UPN) in this hint type represents a name that specifies a user's entry in a directory in the form userName@domainName. Traditionally, [Microsoft] has relied on the presence of such a name form to be present in the client [certificate] when logging on to a domain account. However, this has several drawbacks since it prevents the use of certificates with an absent UPN and also requires re-issuance of certificates or issuance of multiple certificates to reflect account changes or creation of new accounts. The [{$pagename}], in combination with the defined hint type, provides a significant improvement to this situation as it allows a single certificate to be mapped to one or more accounts of the user and does not require the certificate to contain a proprietary UPN.
The domain_name field MAY be used when only domain information is needed, e.g., where a user have accounts in multiple domains using the same username name, where that user name is known from another source (e.g., from the client certificate). When the user name is also needed, the user_principal_name field MAY be used to indicate both username and domain name. If both fields are present, then the server can make use of whichever one it chooses.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop