Share via

2.5.5.1.2 Authenticate Client Identity by Using an X.509 Certificate

  • Article

The following describes authentication of a client user or computer by using an X.509 certificate in the Main Success Scenario, otherwise the section is the same as section 2.5.5.1.1.

Goal: To authenticate the identity of a user or computer to the AA by using an X.509 certificate.

Context of Use: Applies when the user interactively logs on to the domain or when the user tries to access a protected resource on the network.

Direct Actor: The Authentication Client.

Primary Actor: The LSA or the client application.

Supporting Actors: The AA, the account DB, and the PKI.

Preconditions:

  • The identities of the user and the client computer are configured in the account database.

  • The client computer and the AA can communicate with each other.

  • The LSA has obtained the credential information for the user or computer identity and has submitted the credential information to the Authentication Client. In the case of user identity authentication, the LSA has obtained the credential information from the user (for example, by using a logon UI).

Minimal Guarantees: If the identity of the user or computer cannot be proven to the AA by using the underlying authentication protocol, authentication fails. The client application or the user receives an error message that indicates the reason for the failure.

Success Guarantee: The client computer has a TGT for the user or computer account, which is used to authenticate to servers. The user or computer identity is successfully proven to the client computer, and the client computer has group information and other information about the user.

Main Success Scenario:

  1. To prove the identity of the user or computer by using PKI services, the Authentication Client submits to the AA user or computer credential information that consists of the user name or computer account name, the domain name, the user's or computer's X.509 certificate, and a timestamp that is signed by using the certificate.

  2. The AA validates the certificate chain, verifies the signature on the timestamp by using PKI services, and then looks up the account in the account DB. When verification succeeds, the AA returns to the Authentication Client a TGT and a session key encrypted with the public key of the user's certificate.

Postconditions: The user or computer identity is proven to the AA, and the Authentication Client receives a TGT and a session key for further authentication processing