3.5.2 Server Processing of SSL_CERT_LOGON_REQ Message

  • Article

Upon receipt of the SSL_CERT_LOGON_REQ message at the server, the server decodes the request. The server MUST examine the requested flags from the client for the REQ_UPN_MAPPING, REQ_SUBJECT_MAPPING, and REQ_ISSUER_MAPPING flags. These correspond to the following methods:

  • Method 1: Mapping via the userPrincipalName attribute. The Remote Certificate Mapping Protocol client requests this mapping scheme from the Remote Certificate Mapping Protocol server by setting the REQ_UPN_MAPPING flag in the SSL_CERT_LOGON_REQ message. If this mapping scheme is allowed by the Remote Certificate Mapping Protocol server's local policy, the Remote Certificate Mapping Protocol server looks up the authorization information by using the subjectAltName field, as specified in [X509], contained in the X.509 certificate in the request.

    The DC SHOULD perform the following based on the type of certificates in the request:

    • For certificates that contain the FQDN (dNSName) in the Subject Alternative Extension ([RFC5280] section 4.2.1.6).

      The DC prefixes the FQDN with "host/" to form the service principal name (SPN) name form "host/machinename" and searches within the forest directory for an account that contains this SPN in the servicePrincipalName attribute ([MS-ADA3] section 2.253).

    • For certificates that contain the UPN in the Subject Alternative Extension ([RFC5280] section 4.2.1.6).

      In X.509 certificates, the UPN is encoded in the subject alternative name extension with object identifier (OID) 1.3.6.1.4.1.311.20.2.3. The character encoding is in UTF8 format if the characters are not U.S. ASCII characters. Details are specified in Appendix C of [RFC4556].

      The DC searches within the forest directory for an account containing the UPN in the userPrincipalName attribute ([MS-ADA3] section 2.349).

      If successful, the Remote Certificate Mapping Protocol RCMP server constructs a PAC [MS-PAC], containing the authorization information. For more information about the initial population of the PAC structures, see the sections under [MS-KILE] section 3.3.5.6.4.

  • Method 2: Mapping via the certificate's subject and issuer distinguished names (DNs). The Remote Certificate Mapping Protocol client requests this mapping scheme from the Remote Certificate Mapping Protocol server, by setting the REQ_SUBJECT_MAPPING flag in the SSL_CERT_LOGON_REQ message. If this mapping scheme is allowed by the Remote Certificate Mapping Protocol server's local policy, the Remote Certificate Mapping Protocol server looks up the authorization information by using the subject name and issuer name contained in the X.509 certificate in the request. The strings SHOULD<2> match. If the match is successful, the Remote Certificate Mapping Protocol server constructs a PAC [MS-PAC], containing the authorization information. For more information about the initial population of the PAC structures, see the sections under [MS-KILE] section 3.3.5.6.4.<3>

  • Method 3: Mapping via the certificate's issuer DN. The Remote Certificate Mapping Protocol client requests this mapping scheme from the Remote Certificate Mapping Protocol server, by setting the REQ_ISSUER_MAPPING flag in the SSL_CERT_LOGON_REQ message. If this mapping scheme is allowed by the Remote Certificate Mapping Protocol server's local policy, the Remote Certificate Mapping Protocol server looks up the account by using the issuer name that is contained in the X.509 certificate in the request. If the additional REQ_ISSUER_CHAIN_MAPPING flag is set, the other issuer names from the SSL_CERT_LOGON_REQ message are also used for the search. Each name from the chain of issuers need to be used as the lookup key until a match is found, in the order from the SSL_CERT_LOGON_REQ message. If successful, the Remote Certificate Mapping Protocol server constructs a PAC [MS-PAC], containing the authorization information. For more information about the initial population of the PAC structures, see the sections under [MS-KILE] section 3.3.5.6.4.<4>

  • The server SHOULD try these methods in order as listed in the previous methods; a client MUST NOT rely on the processing order. If none of the methods specified as acceptable by the client can determine the appropriate account to use, the mapping request cannot be satisfied. In this event, there is no SSL_CERT_LOGON_RESP message constructed, and the Netlogon generic passthrough method, as specified in [MS-NRPC] section 3.2.4.1, MUST return error code STATUS_LOGON_FAILURE (0xC000006D), as specified in [MS-ERREF], indicating this failure condition. There is no specific error frame or status code in the SSL_CERT_LOGON_RESP message.

If none of the requested methods are successful, the server does not generate an SSL_CERT_LOGON_RESP message, and instead only returns the error code STATUS_LOGON_FAILURE (0xC000006D) to the client via the return code of the Netlogon generic pass-through, as specified in [MS-NRPC] section 3.2.4.1.