1 / 7

TLS user mapping hint extension

TLS user mapping hint extension. Stefan Santesson Microsoft. Purpose. Logging on to a Microsoft domain currently requires a Microsoft UPN (User Principal Name) “user@domain” to be present in the client certificate. This TLS extension removes this requirement in the context of TLS. Flow.

yardley-rosario
Download Presentation

TLS user mapping hint extension

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TLS user mapping hint extension Stefan Santesson Microsoft

  2. Purpose • Logging on to a Microsoft domain currently requires a Microsoft UPN (User Principal Name) “user@domain” to be present in the client certificate. • This TLS extension removes this requirement in the context of TLS.

  3. Flow • Client and server agrees that they support this extension. • Client send its UPN in a new handshake message • Server locate the user in AD and extract the users certificate. • Authentication maps client certificate with use certificate extracted from AD.

  4. New extension type • A new extension type (user_mapping(nn)) is added to the Extension used in both the Client Hello and Server Hello. The extension type is specified as follows and has no data associated with it. enum { server_name(0), max_fragment_length(1), client_certificate_url(2),trusted_ca_keys(3), truncated_hmac(4), status_request(5), user_mapping(nn), (65535) } ExtensionType;

  5. Extension to the Handshake Protocol • A new handshake message is created (user_mapping_data(nn) to encapsulate the client’s domain. enum { hello_request(0), client_hello(1), server_hello(2), certificate(11), server_key_exchange (12), certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), certificate_url(21), certificate_status(22), user_mapping_data(nn),(255) } HandshakeType;

  6. Handshake message syntax enum { UpnDomainHint(0), (255) } UserMappingType; struct { opaque user_principle_name<0..2^16-1>; opaque domain_name<0..2^16-1>; } UpnDomainHint; struct { UserMappingType user_mapping_version select(UserMappingType) { case UpnDomainHint: UpnDomainHint; } } UserMappingData;

  7. Actions • Submit new draft to be published as Informational RFC • Provide IPR disclosure • Assign identifiers for extension type and handshake message

More Related