1

My question: Is there a better way to enable authentication between 2 domains than what I'm doing below, and is Name Mapping the right thing to use?

There are 2 domains; One is the primary corporate domain, the second is a smaller subdomain.

The corporate domain has accounts for every user in the company, and generates an EMail certificate (that supports client authentication). The subdomain can have no trust established with the corporate domain; and users at the subdomain have 2 logins: one for the corporate domain, and one for the subdomain.

The small subdomain hosts a website, that requires a user name and password. We want to use smart cards with the email certs on them, so login to either domain is transparent to the user.

I began to manually create Name Mappings for the subdomain to the email certificate issued by the corporate domain, but the only way I know how to get these certificates is by having users send me a signed email, and then exporting the certificate to a file.

The process looks like this:

  1. User sends me a signed email.
  2. I download the users certificate from the signed email and save it to a file.
  3. Run a script I created which reads the certificate, finds the user by email address in AD, and creates a name mapping between the user and that certificate.

So now users can authenticate to the site, which looks for their credentials on the domain controller of the subdomain, using their certificate which was issued by the primary domain.

Caveats:

  • The subdomain can not have a CA server.
  • I have no privileges on the corporate network.
  • I have full privileges on the subdomain, including configuration of the webserver.
Kyle
  • 380
  • 1
  • 2
  • 9

1 Answers1

1

Certificate trust can (and usually does) work independently of AD.

To be pedantic, if the subdomain was a subdomain of the other AD domain a trust relationship is already established, but I suspect you've configured the "sub"domain to be a new domain in a new forest. While awkward, this should work.

Anyway, AD aside, to have a user be authenticated to a website using a client certificate, the server needs to trust the client certificate for authentication, and it needs to have some way of mapping the certificate's subject to a security principal (eg. a user). Your current solution does this, and so it is correct.

If you wanted, you could compel the users (or their IT department) to send you the exported certificates in some format (eg. PEM) and information on which certificates correspond to which accounts. This may or may not be easier and will distribute exactly the same information that is distributed by the S/MIME signed email.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Falcon, Thank you for taking the time to answer. The 'subdomain' was around before the corporate domain (I suppose my terminology should have been a bit more clear) and you're correct in your assumption of the network being it's own domain in a seperate forest. – Kyle Sep 04 '13 at 12:37