Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- Subject: Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- From: "Timothy J. Miller" <email@hidden>
- Date: Thu, 11 Jan 2007 14:48:41 -0600
Cardona, Cris Mr Nortel Government Solutions wrote:
If this was the case and was changed to look at the ID cert, how would
you modify the ID cert in your CAC to include extended key usage for
smart card logon, E-mail protection, and TLS Webclient Authentication?
If I look at the properties of my ID Certifiacte in ActivCard Gold it
doesn't list this as one of its functions, only the signature
certificate shows the extended key usage for Smart Card Logon
authentication.
To further clarify my clarifications:
1) You cannot use the ID cert for smartcard logon at all.
2) You *can* use the ID cert to authenticate to web sites.
3) Web applications, such as OWA, normally use the email signing cert
for user authentication because the normal method of locating the user's
account in AD is by using the UPN, and the UPN is only in the email cert.
4) It is possible to put the ID cert subject and issuer DN into a user's
altSecurityIdentities attribute, which will allow IIS to use the ID
certificate for AD access control by providing a means of mapping users
to account *without* using the UPN.
5) *Theoretically* this is possible when using OWA through the ISA2006
application proxy, but it hasn't been tested.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden