How to add automatically an Active Directory attribute (i.e. organization) to the Subject Name in a User certificate
I need to add automatically an Active Directory attribute (i.e. organization) to the Subject Name Build from AD DS options in a template, or in a Alternative Name.
It is a unique ID per user, which I can try to put in the AD, but I don't know how to pass it in a certificate template to include it into Subject Name, for applications to athenticate it.
The DN I get from AD is ever based on CN=,OU=,DC= .
There are two possible ways ???
change AD in order to provide a DN with the fields we want CN=,Title=,OU=,DC=, imagining i put in the field Title my unique ID
change a template i order to allow authomatic importing from Active Directory of other attributes like in this example
Title
Any clue will be welcome
May 17th, 2012 9:05am
Hi,
The X.500 directory uses distinguished names as the primary keys to entries in the directory. Distinguished Names are encoded in ASN.1 in the X.500 Directory protocols. In the Lightweight Directory
Access Protocol, a string representation of distinguished names is transferred. This specification defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to
represent any distinguished name.
String
X.500 AttributeType
------------------------------
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
Default Active Directory Naming Attributes
Object Class
Naming Attribute Display Name
Naming Attribute LDAP Name
user
Common-Name
cn
organizationalUnit
Organizational-Unit-Name
ou
domain
Domain-Component
dc
change AD in order to provide a DN with the fields we want CN=,Title=,OU=,DC=, imagining i put in the field Title my unique ID
>> It is impossible.
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 2:31am
And deliver a certificate template, which automatically add an specific attribute to the subject of the certificate???JOSELITO
May 23rd, 2012 8:48am
Hi,
We can find the Subject type with this link:
Default templates in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc730826(v=WS.10).aspx
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2012 4:45am
I'm not sure I understand your question. do you want to add the value of an attribute in AD als part of the DN of the subject Like,
CN=Name+some value from AD,OU=...
Or do you want to add a attribute as part of the DN like CN=name,Attribute=Attribulevalue,,OU=..
The last one is not possible because it is not a vaild x500 format.
Maybe you can write or purcahes a custom policy module for this? cf.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa387348(v=vs.85).aspx
Good question anyway,
May 29th, 2012 8:39am
This is possible through FIM CM 2010.
You can load the custom modules on the CA and build both custom subjects and custom SANS.
It allows, building subject names based on variables.
CN={User!givenName} {User!sn} etc....
Catch is that you have to purchase the software and associated client access licenses
Brian
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2012 8:51am
This is possible through FIM CM 2010.
You can load the custom modules on the CA and build both custom subjects and custom SANS.
It allows, building subject names based on variables.
CN={User!givenName} {User!sn} etc....
Catch is that you have to purchase the software and associated client access licenses
Brian
May 29th, 2012 8:54am