TLS user mapping hint extension Stefan Santesson Microsoft

Purpose Logging on to a Microsoft domain currently requires a Microsoft UPN (User Principal Name) to be present in the client certificate. This TLS extension removes this requirement in the context of TLS.

Flow Client and server agrees that they support this extension. Client send its UPN in a new handshake message Server locate the user in AD and extract the users certificate. Authentication maps client certificate with use certificate extracted from AD.

New extension type A new extension type (user_mapping(nn)) is added to the Extension used in both the Client Hello and Server Hello. The extension type is specified as follows and has no data associated with it. enum { server_name(0), max_fragment_length(1), client_certificate_url(2),trusted_ca_keys(3), truncated_hmac(4), status_request(5), user_mapping(nn), (65535) } ExtensionType;

Extension to the Handshake Protocol A new handshake message is created (user_mapping_data(nn) to encapsulate the client’s domain. enum { hello_request(0), client_hello(1), server_hello(2), certificate(11), server_key_exchange (12), certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), certificate_url(21), certificate_status(22), user_mapping_data(nn),(255) } HandshakeType;

Handshake message syntax enum { UpnDomainHint(0), (255) } UserMappingType; struct { opaque user_principle_name ; opaque domain_name ; } UpnDomainHint; struct { UserMappingType user_mapping_version select(UserMappingType) { case UpnDomainHint: UpnDomainHint; } } UserMappingData;

Actions Submit new draft to be published as Informational RFC Provide IPR disclosure Assign identifiers for extension type and handshake message