You can configure SEG to use client certificate mapping when the certificate either does not have a user principal name (UPN), or the available user principal name does not match the user principal name value in the Active Directory.
Typically, during a certificate-based authentication, SEG extracts the UPN from the client certificate received from the device. The UPN is used to request a Kerberos token from the Kerberos Domain Controller (KDC) server. This token is then used for authenticating the email request at the Exchange server.
SEG cannot acquire a Kerberos token when a UPN is unavailable due to the following reasons:
- When a client certificate does not have a user principal name.
- If the user principal name on the certificate does not match the user principal name in the Active Directory.
- The certificate generation template cannot be modified to include the user principal name attribute.
In such cases, you can configure SEG to retrieve the UPN from the Active Directory using certificate mapping and use the retrieved UPN to obtain the Kerberos token.
When certificate mapping is enabled, certificate mapping takes precedence over any UPN in the certificate. In case the certificate mapping does not fetch a valid UPN, SEG might fall back to the UPN in the certificate, if any, to request for a Kerberos token.
To enable client certificate mapping, you must adhere to the following prerequisites:
- Enable Kerberos authentication.
- SEG uses the same service account user credentials that are configured under the Kerberos authentication settings for certificate mapping. The service account user must have the permissions to fetch the user details through the LDAP query.
- Publish the client authentication certificate generated from the CA server to the respective user object in the Active Directory server.
- Enable the Attribute Indexing and the Replication to Global Catalog settings in the Active Directory for the attributes listed in the following table.
Attribute Name Attribute Indexing Default Setting Replication to Global Catalog Default Setting userCertificate Not Enabled Enabled userPrincipalName Enabled Enabled objectClass Enabled Enabled objectCategory Enabled EnabledNote: Attribute indexing for the userCertificate attribute is not enabled by default in the Active Directory. You must explicitly enable the same.
Enabling Attribute indexing might consume additional storage space on the Active Directory servers.
To enable or verify the Attribute Indexing and Replication to Global Catalog settings, see the Active Directory Settings to Enable Attribute Indexing and Replication section.
For improving the overall security of the system, enable LDAP over TLS (LDAPS) between the SEG and the Active Directory. When you enable LDAPS, the communication between the SEG and LDAP server is encrypted.
When the Attribute Indexing and Replication to Global Catalog settings are enabled, running the query against the Global Catalog port (generally port 3269 with TLS) instead of the LDAP port (generally port 636 with TLS) might perform better.
Certificate Mapping in SEG
To perform certificate mapping in SEG, update the following configuration properties in the application-override.properties file of the SEG.
For SEG version before 2.17.0, SEG continues to use the default configuration (pre-defined configuration). If the custom settings feature is not available, manually update the respective files at the individual node and modify the SEG configuration.
|Key||Description||Supported Values/Format||Default Value||Mandatory|
Indicates if the certificate mapping feature is enabled for SEG.
This setting is ignored and considered as false if the KCD authentication is disabled in the email configuration.
|cert.mapping.ldap.host||Specify the remote LDAP host information in a URL format.||protocol://host:port/dc=whatever
For example, ldap://ldap-remote:3268, ldaps://ldap-remote:3269, and ldaps://ldap-remote:3269/dc=memldap,dc=org
|cert.mapping.ldap.user||Used for authenticating the LDAP query.
SEG uses the same service account credential that is configured as part of the Kerberos authentication settings.
However for the LDAP query, the user name must be provided in the Distinguished Name (DN) format.
|LDAP recognizable Distinguished Name (DN) of the Kerberos service user account.
For example, CN=servKCD,CN=Users,DC=memldap,DC=org.
Specify the distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain.
By default, the LDAP query indicates the rootDSE of the LDAP setup. In cases, with userCertificate and userPrincipalName attributes indexed and replicated to the Global Catalog, these fields need not be modified.
|Distinguished name of the base domain.
For example, DC=memldap, DC=org
Active Directory Settings to Enable Attribute Indexing and Replication
You must first register the dynamic-link library (DLL) that is required for the Active Directory schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).
The membership in the Domain Admins, or equivalent, is the minimum required to complete the procedure. You can check the details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
To configure the Active Directory settings, perform the following steps:
- Open a command prompt, type regsvr32 schmmgmt.dll and press Enter to install the Active Directory schema snap-in.
- Click mmc, and then click OK. , type
- On the File menu, click Add/Remove Snap-in.
- In the Available snap-ins option, click the and click OK.
- Expand the .
- Select the userCertificate attribute to be updated and click the Properties of the attribute.
- Select the Index check box and verify that the Replicate this attribute to the Global Catalog check box is selected.
- Click Apply to save the changes.