Map a certificate to a user account

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To map a certificate to a user account

  1. Open Active Directory Users and Computers.

  2. On the View menu, select Advanced Features.

  3. In the console tree, click Users.

    Where?

    • Active Directory Users and Computers\domain node\Users

    Or, click the folder that contains the user account.

  4. In the details pane, click the user account to which you want to map a certificate.

  5. On the Action menu, click Name Mappings.

  6. In the Security Identity Mapping dialog box, on the X.509 Certificates tab, click Add.

  7. Type the name and path of the .cer file that contains the certificate you want to map to this user account, and then click Open.

  8. Do one of the following:

    To Do this

    Map the certificate to one account (one-to-one mapping)

    Confirm that both the Use Issuer for alternate security identity and the Use Subject for alternate security identity check boxes are selected.

    Map any certificate that has the same subject to the user account, regardless of the issuer of the certificate (many-to-one mapping)

    Clear the Use Issuer for alternate security identity check box, and confirm that the Use Subject for alternate security identity check box is selected.

    Map any certificate that has the same issuer to the user account, regardless of the subject of the certificate (many-to-one mapping)

    Clear the Use Subject for alternate security identity check box, and confirm that the Use Issuer for alternate security identity check box is selected.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • The certificate you are mapping to a user account must be in Distinguished Encoding Rules (DER) or Base64 encoded binary format. For instructions on exporting an existing certificate to a .cer file, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Mapping certificates to user accounts
Export a certificate
Importing and exporting certificates
Map an account from a trusted non-Windows kerberos realm to a user account