Today I am going to talk a little bit about certificate mapping. This topic is somewhat related to my last post about disabling mapping, but you once you disable the UPN mapping what type of mapping is available to you? The image below ( stolen from MSDN ) outlines the mapping of user accounts to smartcard logon.
By Mark Walla Article from the May 2000 issue of Windows 2000 Advantage magazine Although this article is billed as a primer to Kerberos authentication, it is a high technical review. Kerberos is an integral part of Windows 2000 Active Directory implementations, and anyone planning to deploy and maintain a Windows 2000 enterprise must have a working knowledge of the principals and administrative issues involved in this front-line security technology. Since many other operating system vendors are also adopting this MIT-developed authentication protocol, Kerberos Version 5 will increasingly become a centerpiece of enterprise-level interoperability.
NB. In an effort to make this page load better I am breaking this Blog up into Parts, this is Part 1 Part 2: – Configuring Service Applications, Sites, and Verifying our Work Part 3: – Configuring and Executing Search, Using Web Parts and Communicating Securely across Web Applications with Kerberos Synopsis:
Determine the application pool account that will be responsible for authenticating users. Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application) Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.
(UPDATED on 04/06/07 as per feedback from two different subscribers (thank-you). Updates in Italic) (UPDATED on 20/08/07: My colleauge James World has just published an excellent article which is a kind of follow-up to this one.
Hi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authentication failures more often. One of the great things about Windows is that the product seems to just work without too much customization that is needed by the customer.
