tls user mapping hint extension stefan santesson microsoft
TRANSCRIPT
![Page 1: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/1.jpg)
TLS user mapping hint extension
Stefan Santesson
Microsoft
![Page 2: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/2.jpg)
Purpose
• Logging on to a Microsoft domain currently requires a Microsoft UPN (User Principal Name) “user@domain” to be present in the client certificate.
• This TLS extension removes this requirement in the context of TLS.
![Page 3: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/3.jpg)
Flow
• Client and server agrees that they support this extension.
• Client send its UPN in a new handshake message
• Server locate the user in AD and extract the users certificate.
• Authentication maps client certificate with use certificate extracted from AD.
![Page 4: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/4.jpg)
New extension type
• A new extension type (user_mapping(nn)) is added to the Extension used in both the Client Hello and Server Hello. The extension type is specified as follows and has no data associated with it.
enum { server_name(0), max_fragment_length(1), client_certificate_url(2),trusted_ca_keys(3), truncated_hmac(4), status_request(5), user_mapping(nn), (65535)} ExtensionType;
![Page 5: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/5.jpg)
Extension to the Handshake Protocol
• A new handshake message is created (user_mapping_data(nn) to encapsulate the client’s domain.
enum {hello_request(0), client_hello(1),
server_hello(2),certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), certificate_url(21), certificate_status(22), user_mapping_data(nn),(255)} HandshakeType;
![Page 6: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/6.jpg)
Handshake message syntaxenum { UpnDomainHint(0), (255)} UserMappingType;
struct { opaque user_principle_name<0..2^16-1>; opaque domain_name<0..2^16-1>;} UpnDomainHint;
struct { UserMappingType user_mapping_version select(UserMappingType) {
case UpnDomainHint: UpnDomainHint;
}} UserMappingData;
![Page 7: TLS user mapping hint extension Stefan Santesson Microsoft](https://reader036.vdocuments.net/reader036/viewer/2022083006/56649f385503460f94c54b1a/html5/thumbnails/7.jpg)
Actions
• Submit new draft to be published as Informational RFC
• Provide IPR disclosure
• Assign identifiers for extension type and handshake message