TLS User Mapping Extension


TLS User Mapping Extension defined in RFC 4681 defines a TLS extension and a payload for the SupplementalData handshake message, defined in RFC 4680 N6, to accommodate mapping of users to their user accounts when using TLS client authentication as the authentication method.

The new TLS extension (user_mapping) is sent in the clientHello message. Per convention defined in RFC 4366 N4, the server places the same extension (user_mapping) in the serverHello message, to inform the client that the server understands this extension. If the server does not understand the extension, it will respond with a serverHello omitting this extension, and the client will proceed as normal, ignoring the extension, and not include the UserMappingDataList data in the TLS handshake.

If the new extension is understood, the client will inject UserMappingDataList data in the SupplementalData handshake message prior to the Client's CertificateRequest message. The server will then parse this message, extracting the client's domain, and store it in the context for use when mapping the certificate to the user's directory account.

No other modifications to TLS are required. The messages are detailed in the sections of RFC 4681

6. UPN Domain Hint (Informative) From RFC 4681 Section 6#

The TLS User Mapping Extension specification provides an informative description of one user mapping hint type for Domain Name hints and User Principal Name hints. Other hint types may be defined in other documents in the future.

The User Principal Name (UPN) in this hint type represents a name that specifies a user's entry in a directory in the form userName@domainName. Traditionally, Microsoft has relied on the presence of such a name form to be present in the client certificate when logging on to a domain account. However, this has several drawbacks since it prevents the use of certificates with an absent UPN and also requires re-issuance of certificates or issuance of multiple certificates to reflect account changes or creation of new accounts. The TLS User Mapping Extension, in combination with the defined hint type, provides a significant improvement to this situation as it allows a single certificate to be mapped to one or more accounts of the user and does not require the certificate to contain a proprietary UPN.

The domain_name field MAY be used when only domain information is needed, e.g., where a user have accounts in multiple domains using the same username name, where that user name is known from another source (e.g., from the client certificate). When the user name is also needed, the user_principal_name field MAY be used to indicate both username and domain name. If both fields are present, then the server can make use of whichever one it chooses.

More Information#

There might be more information for this subject on one of the following: