Certificate mapping, in a general sense, refers to the tying of an identity to an X.509 digital certificate. In practice, the term is mostly used in the context of Microsoft’s “client certificate mapping” feature, wherein a client’s Active Directory identity is mapped to a certificate which can then be used to login to Microsoft services.
The important thing to understand about Microsoft’s certificate mapping is that it is a very limited application of certificate-based authentication. The certificate is only used to authenticate to Active Directory, so if an otherwise valid certificate is presented but there is no associated client in AD, it will fail to authenticate.
To clarify, here is an overview of the difference between the Windows authentication flow and a more typical certificate authentication flow.
Authentication Flow for Windows/Active Directory Certificate Authentication
- Ask user for certificate or user account name
- Look up user in Active Directory
- Check user account is fine (not disabled, locked out, etc)
- Ask user for certificate and proof of private key
- User provides both
- Pass both to an Active Directory Domain Controller to perform user logon
- Domain Controller says ok and returns user logon session
- Optional: Extract user details from login session
- Successful logon
Authentication Flow for Standard Certificate Authentication
- Ask user for certificate and proof of private key
- User provides both
- Optional: Extract user details from the certificate
- Optional: Use third party identity provider to check user account (“account lookup”)
- Optional: Apply policies based on information returned from identity provider
- Successful logon
The difference between the two flows is clear – Microsoft’s implementation merely layers certificate authentication on top of their (antiquated) AD logon, rather than taking advantage of the superior security and speed of certificate auth.
Client Certificate Mapping without Active Directory
To their credit, Microsoft offers an alternative that is more in line with what we all expect from certificate authentication: IIS Client Certificate Mapping. It supports one-to-one client certificate mapping and many-to-one (multiple certificates for the same client), as well as the ability to custom configure your own directory.
It’s not exactly a huge upgrade – the feature isn’t default, so you’ll need to install it first. There’s also no user interface for configuring IIS Client Certificate Mapping authentication for IIS 7, so you’ll have to code it yourself.
Enhanced Client Certificate Mapping Features
If both of those options sound like a lot of hassle to you – you’re not alone.
The lack of meaningful support from Microsoft, even decades after the X.509 certificate standard was developed, is a large part of the reason for the slow adoption of a clearly superior authentication technology. The sheer ubiquity of AD environments and its native indifference towards certificates has steered the industry to the much more accessible (and much more vulnerable) PEAP-MSCHAPv2.
And, honestly, that’s a shame. Digital certificates can be used for all manner of authentication and security needs: from desktop, Wi-Fi, and VPN login to federating directories and enabling passwordless authentication.
SecureW2’s Cloud RADIUS enables organizations to have their (certificate) cake and eat it too. Rather than Microsoft’s paradigm of tying a certificate to a client for the express purpose of logging into AD, we typically issue certificates to a user on a specific device (without restrictions on what it can authenticate to).
It might sound like semantics, but the practical differences are enormous. This tactic allows for a more granular network control and monitoring, high-certainty identity management, and a more intuitive certificate management experience.
Combined with our innovative Dynamic Policy Engine, SecureW2’s Cloud RADIUS can perform account or user lookup at the moment of authentication. Adding that step to your traditional certificate authentication flow enables real-time policy enforcement at a certificate and directory level – and our product is compatible with every cloud identity provider, not just Active Directory.
If you want to fortify your network security with certificates, you’ll appreciate our robust certificate management solution. We have affordable options for organizations of every size. Click here to see our pricing.