cancel
Showing results for 
Search instead for 
Did you mean: 

machine certificate authentication

ive_
New Contributor

machine certificate authentication

Hello,

We are currently setting up a dual authentication on a realm at the same time:

=> active directory authentication
=> An authentication with a machine certificate (with a policy HostChecker)

Our main problematic: We would like to connect the AD account with the machine certificate
For example: should the AD account name is present in a certificate fields?

We can do this when the certificate is in the user's store but not when it is in the computer store ...

Any idea ?

4 REPLIES 4
kalagesan_
Super Contributor

Re: machine certificate authentication

Hi ,

I understand your requirement.

 

Can you check the certficate subject for the variable "CN" in machine cert by checking the details field in certificate.

 

We can use this field to connect the AD field by configuring the certficiate auth server and LDAP auth server in IVE.

 

While doing Relam configuration, have certificate as primary authentication server and LDAP as authorization server.

 

With this you can do role mapping based on group and check for domain computer group in rolemapping policy

 

With this you can authenticate the machine with its machine certificate to the AD server using LDAP authorization along with cert server.

 

Hope this resolves your query


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

Regards,
Kannan

ive_
New Contributor

Re: machine certificate authentication

Ok thank you for the answer but ...

We opted for a home PKI (with openssl). Certificates are made for machines outside our domain.

First: Is-it possible to bind the certificate from our third pki with AD account? => if the answer is yes : Where to store our certificates machines (homemade) in AD?

Second: When setting up the realm, if we choose "certificate as primary authentication" => we test it and that it does not work: in fact, I insist, the machine certificate in the local computer store! and not in the user's store (so we must use hostchecker).

 

sorry for my bad english...

kalagesan_
Super Contributor

Re: machine certificate authentication

Hi,

 

Thanks for your update . Please find my update 

 

First: Is-it possible to bind the certificate from our third pki with AD account? => if the answer is yes : Where to store our certificates machines (homemade) in AD?

 

ans: Yes you can bind the certfiicate with AD account , you can have certificate servcies running on your windows server and you can store the certs in windows certserver on the sam eAD. My only confusion is , if Certificates are made for machines outside our domain then why would neeed this to bind it to AD account.

Second: When setting up the realm, if we choose "certificate as primary authentication" => we test it and that it does not work: in fact, I insist, the machine certificate in the local computer store! and not in the user's store (so we must use hostchecker).

 

ans: As I  said you need to have certficate as Authentication server & LDAP as authorization server . 

 

I recommend you to contact JTAC support on this since this would need a troubleshooting session 

 

Regards,

Kannan

 

 

zanyterp_
Respected Contributor

Re: machine certificate authentication


@ive wrote:

Ok thank you for the answer but ...

We opted for a home PKI (with openssl). Certificates are made for machines outside our domain.

First: Is-it possible to bind the certificate from our third pki with AD account? => if the answer is yes : Where to store our certificates machines (homemade) in AD?
>>>>this should not be needed as long as the names are matched


Second: When setting up the realm, if we choose "certificate as primary authentication" => we test it and that it does not work: in fact, I insist, the machine certificate in the local computer store! and not in the user's store (so we must use hostchecker).

>>>correct, the cert auth server can only be done with the user certificate and host checker is required for machine certificates. i don't know of a way off-hand to get the infirmation from a machine certificate. is there a reason you opted for machine rather the user certificates?

 

sorry for my bad english...