Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Mapping certificates to user accounts

It is possible to map (or create an association from) a certificate that has been issued to a user to the user's account. A server application can then use public key cryptography technology to authenticate the user using this certificate. If the user is authenticated, then the user's account is logged on. The end result is the same as if the user provided a user ID and password, yet the process is much more manageable.

Traditionally, computer systems have used a centralized accounts database to manage users, their privileges, and their access controls. This technique has worked well and is well understood. However, as systems become more and more distributed--with hundreds of thousands to millions of users--this form of centralized control becomes unwieldy. The problems range from trying to verify an account against a database located on the other side of the Internet to administering a lengthy list of users.

Public key certificates can help simplify these problems. Certificates can be widely distributed, issued by numerous parties, and can be verified by simply examining the certificate, without having to refer to a centralized database. However, existing operating systems and administration tools can only deal with accounts, not certificates. The simple solution--one that maintains the advantages of both certificates and user accounts-- is to create a mapping between a certificate and a user account. This allows the operating system to continue using accounts while the larger "system" and the user use certificates.

In this model, when a user presents a certificate, the system looks at the mapping to determine which user account should be logged on. (Note that this should not be confused with logging on with a smart card. Windows 2000 supports logging on with a smart card using account mapping that is automatic.)

Mapping a certificate to a Windows 2000 user can be done in one of two ways: the mapping can be done either by the Windows 2000 Active Directory service or it can be done with rules defined in Microsoft Internet Information Services (IIS).

Types of mapping

In most cases, a certificate is mapped to a user account in one of two ways: a single certificate is mapped to a single user account (one-to-one mapping) or multiple certificates are mapped to one user account (many-to-one mapping).

User principal name mapping

User principal name mapping, is a special case of one-to-one mapping. To use user principal name mapping, you must use Active Directory. With user principal name mapping, the user principal name is used to find the user's account in Active Directory and log it onto the network or host. The user principal name looks very much like an e-mail name, and is unique within a Windows 2000 domain. Enterprise certification authorities (CAs) place the user principal name of the certificate holder into each certificate. Thus, for accessing a secure IIS server or logging on to Windows 2000 with a smart card, the mapping of user names to accounts is automatic on these certificates.

One-to-one mapping

One-to-one mapping maps a single user certificate to a single Windows 2000 user account. For example, imagine you want to provide a Web page to your employees that will allow them to view and modify their deductions, manage their health care, and a number of other benefits options. This page should work over the Internet and should be secure. As a solution, you decide to use Windows 2000, certificates, and certificate mapping. You can either issue certificates to each of your employees from your own certificate service, or you can have your employees get certificates from a certification authority approved by your company. You can then take these user certificates and map them to the employee's Windows 2000 user account. This allows a user to connect to the Web page using SSL (Secure Sockets Layer) or TLS (Transport Layer Security) from anywhere by providing his or her client certificate. The user then logs onto his or her own user account and normal Windows 2000 access controls can be applied.


Many-to-one mapping maps many certificates to a single user account. For example, you have a partnership with an agency that provides temporary workers for your job openings. You would like to allow the agency personnel to view Web pages that describe current job openings that only company employees can see. The agency has its own certification authority that it uses to issue certificates to its employees. After installing the agency certification authority's root certificate as a trusted root in your enterprise, you can set a rule that maps all certificates issued by that certification authority to a single Windows 2000 account. You can then set the access rights of the account so this account can access that Web page.

See Map certificates to user accounts for procedures to map certificates to user accounts.

Share this article: