Windows 2003 PKI, AD/AM and non-domain user authentication

[Chris Hayes]

A couple of questions:

Which certificates should be used for non-domain user authentication?

Can certificates contain user subject information specific to AD/AM
schema but not require an Active Directory account?

Scenario is one in which issuing party wants to have certificate
authentication for web apps for non-domain users.

Thanks.

 

[Steven L Umbach]

I have not tried that exactly, but where I have used certificates for users or
computers for EFS or l2tp the thing that mattered was that each party trusted the
certificate presented to them by having the certificate for the Certificate Authority
in there certificate store. It is easier requesting a certificate in a domain by
using the mmc certificate snapin for user, otherwise Web Enrollment is needed. It
should be easy enough to test it out.--- Steve

 

[Microsoft]

Thanks for the input Steven. I've been doing some more digging using the MSA
Enterprise Design for Certificate Services. They reference in this URL that
you can select a "certificate repository". The repository may be AD, AD/AM
or a SQL db. I've initiated support with MS to get clarification and
guidance. I have never noticed during a CA install whether stand-alone or
enterprise an option to choose a certificate repository- maybe a 3rd party
CA has this capability.

I'll try to remember to post their final guidance.

 

[Chris Hayes]

The above posting reflects a misconfiguration of my news reader- it was not
intentional to have the "From" field populated with "Microsoft".