I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account, the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user. I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach. However, the mapping of the certificates are by the same organization. So it seems that a perticular user account would map to both the specific account and to the many to one account since the identifiers would be so close. Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account? I hope that makes sense, Mark

Hello, you need to do a 2-factor authentication with Smartcard or RSA token for example. We use RSA with Citrix access gateways, so AD account and Token as second factor. Within the domain logon is possible with only the domain account. The security forum is here the better place to ask for options http://social.technet.microsoft.com/Forums/en/winserversecurity/threads Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account (one-to-one), the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user. I know it is possible to do the one to one mapping and the default account can be achieved by the many to one approach. However, the mapping of the certificates are by the same organization. So it seems that a particular user account would map to both the specific account and to the many to one account since the identifiers would be so close. Is there a way to tell AD, if an account exists one to one to use it, otherwise is the many to one is matched then use the default account? I hope that makes sense, Mark

I was wondering if it is possible to do the following: I want users to present their client certificate for authentication. If the certificate is properly mapped to an AD account, the user is logged in as that user. If there is no corresponding account, the user is logged in as a "default" user. Just need to make something clear: this is about client certificate authentication to Web server. You would like to implement one-to-one certificate mapping and have many-to-one mapping as the fall-back option If so, is the web server IIS, and which version?-= F1 is the Key =-

Please use Security forum and ask your question. Here is Security forum link: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threadsBest Regards, Sandesh Dubey. MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Actually it is using TMG 2010 with AD Name Mapping. Windows Server 2008. Thanks Mark

Thanks. I thought that is the forum I am in now. Mark

It appears Windows Server 2008 is working as follows: 1. If a certificates maps directly to an account, the account is used. 2. If a certificate does not map to aa specific account, but matches a wildcard, the wildcard account is used. Thanks everyone, Mark