I've seen several posts on the new 'authentication assurance' feature coming in Windows Server 2008 R2. The term we decided to go with is authentication mechanism assurance because it is actually the authentication mechanism that is assured. Authentication mechanism assurance uses certificate policies that are mapped to security groups. The certificates that are issued from the policy grant users who use them to logon additional group memberships in their access token. The expected scenario for using this feature is that a user with a smart card or token device (e.g. USB token) logs on using a certificate (issued from a policy mapped to an administrator defined security group). With this addition group membership added to the access token of the user account a distinction can be made (through that group membership) that indicates the user logged on using a specific type of certificate. This allows resources on the network (and elsewhere) to be secured as normal (using group memberships in the access control list), but has the ability to effectively distinguish that the user logged on with a smart card, USB token, or some other type of certificate logon method. Since the administrator can map different types of certificates (using different certificate policies) to different group memberships, it is also possible to distinguish the type of certificate.
- Windows Server 2008 R2 Documentation Windows 10
- Dell Servers
- Windows Server 2008 R2 Documentation
- Windows Server 2008 R2 Documentation Requirements
Any edition of Windows Server 2008 may be installed without activation and evaluated for an initial 60 days. If you need more time to evaluate Windows Server 2008, the 60 day evaluation period may be reset (or re-armed) three times, extending the original 60 day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Technical content for IT professionals administering Windows Server 2008 R2 and Windows Server 2008. Windows Server 2008 Developer Story Content for developers and other technology experts and managers interested in exploring some of the new and extended features in Windows Server 2008.
As an example, consider this scenario: Three certificate policies
- Confidential
- Secret
- Top Secret
Now assume that these policies are mapped to three different security groups:
- Confidential Users (mapped to Confidential certificate policy)
- Secret Users (mapped to Secret certificate policy)
- Top Secret Users (mapped to Top Secret certificate policy)
Now consider there are three different types of smart cards (they could all be the same type of smart card). Imagine they are categorized differently as in they have different colors or stickers indicating the following):
- Confidential (receives a certificate issued from a certificate template that is associated with the Confidential certificate policy)
- Secret smart card (receives a certificate issued from a certificate template that is associated with the Secret certificate policy)
- Top Secret smart card (receives a certificate issued from a certificate template that is associated with the Top Secret certificate policy)
Now resource administrators could secure resources in this way:
Windows Server 2008 R2 Documentation Windows 10
- Resources considered Confidential could grant access to the following groups: Confidential Users, Secret Users, and Top Secret Users.
- Resources considered Secret could grant access to only the following groups: Secret Users and Top Secret Users.
- Resources considered Top Secret could grant access to only the Top Secret Users group.
Such a configuration would allow users who logon with Confidential smart cards to access the resources secured for Confidential Users. The users who logon with Secret smart cards can access the resources shared to the Secret Users group. The users who logon with Top Secret smart cards can access the resources shared to the Top Secret Users group. The users who logon using a username and password will not be able to access any of the resources described above.
Dell Servers
![Windows Server 2008 R2 Documentation Windows Server 2008 R2 Documentation](/uploads/1/2/6/8/126896184/509830791.jpg)
Windows Server 2008 R2 Documentation
Therefore, the authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate based mechanism are granted access. Further, whether the user is able to gain access to specific resources also depends on the type of certificate (indicated by the certificate template and policy) that the user presents during logon.
Windows Server 2008 R2 Documentation Requirements
This posting is provided 'AS IS' with no warranties, and confers no rights.