It is possible to map (or create an association from) a certificate that has been issued to a user to the user's account. A server application can then use public key cryptography technology to authenticate the user using this certificate. If the user is authenticated, then the user's account is logged on. The end result is the same as if the user provided a user ID and password, yet the process is much more manageable.
Traditionally, computer systems have used a centralized accounts database to manage users, their user rights, and their access controls. This technique has worked well and is well understood. However, as systems become more and more
Public key certificates can help simplify these problems. Certificates can be widely distributed, issued by numerous parties, and can be verified by simply examining the certificate, without having to refer to a centralized database. However, existing operating systems and administration tools can only deal with accounts, not certificates. The simple
In this model, when a user presents a certificate, the system looks at the mapping to determine which user account should be logged on. (Note that this should not be confused with logging on with a smart card.
In most cases, a certificate is mapped to a user account in one of two ways: a single certificate is mapped to a single user account (one-to-one mapping) or multiple certificates are mapped to one user account (many-to-one mapping).
User principal name mapping is a special case of one-to-one mapping. To use user principal name mapping, you must use the Active Directory directory service. With user principal name mapping, the user principal name is used to find the user's account in Active Directory and log it onto the network or host. The user principal name looks very much like an e-mail name, and is unique within a
For more information on using Active Directory for certificate mapping, see To map a certificate to a user account.
One-to-one mapping maps a single user certificate to a single user account. For example, imagine you want to provide a Web page to your employees that will allow them to view and modify their deductions, manage their health care, and a number of other benefits options. This page should work over the Internet and should be secure. As a solution, you decide to use certificates and certificate mapping on
Many-to-one mapping maps many certificates to a single user account. For example, you have a partnership with an agency that provides temporary workers for your job openings. You would like to allow the agency personnel to view Web pages that describe current job openings that only company employees can see. The agency has its own certification authority that it uses to issue certificates to its employees. After installing the agency certification authority's root certificate as a trusted root in your enterprise, you can set a rule that maps all certificates issued by that certification authority to a single