Security

One-to-One Mapping

In one-to-one mapping, the administrator selects the client authentication certificate for mapping and enters the user name and password associated with the certificate. The form displayed on the client certificate in the figure below is Base64 encoded X.509. This is a standard client authentication certificate that is encoded using Base64, rather than binary. Base64 encoding enables older e-mail servers to handle the data easily, since many older email servers cannot relay binary data.

Using the Certificate Manager Export Wizard to Export a Client Authentication Certificate

You can also access a user’s client authentication certificate from the Active Directory, as shown in the figure below. A client authentication certificate is an optional UserCertificate property on the User object. The following Visual Basic code will access the UserCertificate object:

Dim oUser, vCert
Dim strName, strDN
StrName = "CN=Baggins"
StrDN = "CN=Users,DC=iis,DC=nttest,DC=microsoft,DC=com"
Set oUser = GetObject("LDAP://" & strName & "," & strDN)
vCert = oUser.userCertificate
Set oUser = Nothing

You can set a user’s client authentication certificate by using the Directory Management administration tool. If Certificate Services is installed in the enterprise, the certificate is automatically added to the user’s list of certificates in the Active Directory, when the client requests a certificate.

A User's Client Authentication Certificate in the Active Directory

Note To view or add a user’s client authentication certificate in the Active Directory user interface, you must have Advanced Features enabled. To do this, load the Directory Management administration tool, select View and check the Advanced Features option.