Use this configuration to enable users to authenticate with X.509 client certificates, and then automatically connect to a host session. You can specify the settings to use for LDAP failover if certificate-based authentication fails.
NOTE:X.509 is supported through the HTTPS port. Users should disable HTTP ports when running X.509
Validate LDAP User Account
Account validation is always enabled and causes authentication to fail when an LDAP search fails to resolve a Distinguished Name for the name value obtained from the user’s certificate. If you are using Microsoft Active Directory as your LDAP server type, additional validation is performed. User authentication will fail when the user’s Active Directory account is either disabled or expired.
Distinguished Name Resolution Order
The values in this property can be re-ordered, added, or removed. For example, to locate the User Principal Name of the certificate before checking other values, enter upn, email, cn_val, cn.
UPN Attribute Name
This property is used only when upn is present in the Distinguished Name Resolution Order field; otherwise this property is ignored. The User Principal Name (UPN) is an Internet -style login name and generally takes the form auser@domain.com.
The UPN value is retrieved from the Subject Alternative Name field in the user’s certificate. The Administrative Server then performs a search for an LDAP user object, based on the UPN attribute name and value, to validate that the user object exists in the LDAP database. The LDAP search filter takes the form of (upn-attribute-name=upn-value-from-certificate). For example: userPrincipalName=auser@domain.com.
Enter the name of the LDAP attribute used in the LDAP directory where the UPN-style name is stored. If the LDAP Server type is Microsoft Active Directory, use the default UPN attribute name: userPrincipalName. Other LDAP implementations may use a different attribute name, such as email or a custom name.
Changes to the certificate revocation checking settings below will not take effect until the server is restarted.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
If you choose to use OCSP, verify that the option is enabled and complete the configuration.
OCSP Responders
Enter the URL for the OCSP responder. To specify more than one URL, use a semi-colon (;) between each URL. Only HTTP URLs are supported. For example: http://<OcspServerAlt> where <OcspServer> is the server name or IP address of your OCSP responder.
NOTE:If one or more OCSP responders are defined, the OCSP responder in the certificate's AIA extension is not checked even when the Use AIA Extension check box is selected.
Designated by CA
By default, the OCSP signing certificate must be signed by the same private key that signed the SSL/TLS client certificate.
Use AIA Extension
The Authority Information Access (AIA) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears. By default, the OCSP server URL, specified in the AIA extension of the user certificate, is used to check the certificate revocation status using OCSP.
Use AIA Extension Check Status
By default, the AIA extension is used to verify the certificate status of the OCSP responder.
Use CRLDP Extension Check Status
A Certificate Revocation List (CRL) distribution point is a location where you can download the latest CRL. The CRL distribution points extension identifies how CRL information is obtained. By default, the CRL Distribution Points (CRLDP) extension is used to verify the certificate status of the OCSP responder.
Support Domain Trust Model (DTM) OCSP Responders
Select this parameter to allow the Administrative Server to communicate properly with Domain Trust Model (DTM) OCSP Responders.
Subject DN of OCSP signing certificate (optional)
This property must be set to identify the DN of the OCSP signing certificate when it is either not issued by or not the same as the CA certificate that issued the certificate being validated.