Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] User migrations, certs, UPNs and altsecurityIdentities
Prev Next
You are not authorized to post a reply.

AuthorMessages
neil.ruston@credit-suisse.comUser is Offline

Posts:47

06/22/2009 12:44 PM  
Hi,

We're investigating a migration from 2 forests into a 3rd, new forest.
Users in one forest already logon with a smartcard.

All logons in the new forest will also utilise a smartcard.

Concerns have been raised that users, when migrated, will require 2
smartcards [and thus two readers] so that they can retain access to
resources and apps in both the new and legacy forests.

One possible solution to this issue has been suggested, involving
attribute altsecurityIdentities whereby this attribute is used to
associate a second UPN with a second cert, both of which could be stored
on the same smartcard.

* Has anyone addressed this issue previously?
* Does anyone have an alternate / better solution?

Many thanks,
neil


===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================


TspringUser is Offline

Posts:12

06/22/2009 1:29 PM  
You should not need two different smartcards necessarily, depending on how you set things up. As you said, using a subjectalternatename will work so that it would be seamless for the user and consistent between original and destination forest. One key point is that the Active Directory forests must both trust the issuing CA for the smartcard certificates.

So, if set up properly, only a single certificate on a single smartcard is required. That's the smartcard part, and some more on that is here (thought its focused on setting up for other than MS CAs, the info is still good): http://support.microsoft.com/default.aspx/kb/281245

The other part is simple resource access. If the users are migrated using ADMT or similar just retain sidhistory, then they should be able to access those same files and other resources once they have been migrated.

Tim

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
Sent: Monday, June 22, 2009 6:43 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] User migrations, certs, UPNs and altsecurityIdentities


Hi,

We're investigating a migration from 2 forests into a 3rd, new forest. Users in one forest already logon with a smartcard.

All logons in the new forest will also utilise a smartcard.

Concerns have been raised that users, when migrated, will require 2 smartcards [and thus two readers] so that they can retain access to resources and apps in both the new and legacy forests.

One possible solution to this issue has been suggested, involving attribute altsecurityIdentities whereby this attribute is used to associate a second UPN with a second cert, both of which could be stored on the same smartcard.

* Has anyone addressed this issue previously?

* Does anyone have an alternate / better solution?

Many thanks,

neil

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] User migrations, certs, UPNs and altsecurityIdentities



ActiveForums 3.7
Friends

Friends

Button
Members

Members

MembershipMembership:
Latest New UserLatest:shams
New TodayNew Today:4
New YesterdayNew Yesterday:2
User CountOverall:4698
People OnlinePeople Online:
VisitorsVisitors:61
MembersMembers:2
TotalTotal:63
Online NowOnline Now:
01: alpeshshinde25
02: shams

Ads

Copyright 2009 ActiveDir.org
Terms Of Use