Authentication mechanism assurance in Windows Server 2008 R2

I've seen several posts on the new "authentication assurance" feature coming in Windows Server 2008 R2. The term we decided to go with is authentication mechanism assurance because it is actually the authentication mechanism that is assured. Authentication mechanism assurance uses certificate policies that are mapped to security groups. The certificates that are issued from the policy grant users who use them to logon additional group memberships in their access token. The expected scenario for using this feature is that a user with a smart card or token device (e.g. USB token) logs on using a certificate (issued from a policy mapped to an administrator defined security group). With this addition group membership added to the access token of the user account a distinction can be made (through that group membership) that indicates the user logged on using a specific type of certificate. This allows resources on the network (and elsewhere) to be secured as normal (using group memberships in the access control list), but has the ability to effectively distinguish that the user logged on with a smart card, USB token, or some other type of certificate logon method. Since the administrator can map different types of certificates (using different certificate policies) to different group memberships, it is also possible to distinguish the type of certificate.

As an example, consider this scenario: Three certificate policies

1. Confidential 
2. Secret
3. Top Secret 

Now assume that these policies are mapped to three different security groups:

1. Confidential Users (mapped to Confidential certificate policy) 
2. Secret Users (mapped to Secret certificate policy) 
3. Top Secret Users (mapped to Top Secret certificate policy)

Now consider there are three different types of smart cards (they could all be the same type of smart card). Imagine they are categorized differently as in they have different colors or stickers indicating the following):

1. Confidential (receives a certificate issued from a certificate template that is associated with the Confidential certificate policy)
2. Secret smart card (receives a certificate issued from a certificate template that is associated with the Secret certificate policy)
3. Top Secret smart card (receives a certificate issued from a certificate template that is associated with the Top Secret certificate policy)

Now resource administrators could secure resources in this way:

1. Resources considered Confidential could grant access to the following groups: Confidential Users, Secret Users, and Top Secret Users.
2. Resources considered Secret could grant access to only the following groups: Secret Users and Top Secret Users.
3. Resources considered Top Secret could grant access to only the Top Secret Users group.

Such a configuration would allow users who logon with Confidential smart cards to access the resources secured for Confidential Users. The users who logon with Secret smart cards can access the resources shared to the Secret Users group. The users who logon with Top Secret smart cards can access the resources shared to the Top Secret Users group. The users who logon using a username and password will not be able to access any of the resources described above.

Therefore, the authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate based mechanism are granted access. Further, whether the user is able to gain access to specific resources also depends on the type of certificate (indicated by the certificate template and policy) that the user presents during logon.

This posting is provided "AS IS" with no warranties, and confers no rights.